The logs are located in PA_HOME/log/. Elements recorded in these logs are described in the table below, and are configured in conf/log4j2.xml.

Important:

Because log files can be viewed or modified using a variety of common applications, it is possible for log files to be manipulated to include untrusted or malicious data. Administrators should take appropriate steps to secure these files. Do not open these files in applications that could allow for data execution, such as internet browsers or Microsoft Office products. Instead, open these files in a common, lightweight text editor.

PingAccess generates these audit logs:

pingaccess_engine_audit.log
Records transactions of configured resources. Additionally, the log records transaction details when PingAccess sends requests to PingFederate, for example, security token service (STS), OAuth2, and JSON web signature (JWS).
pingaccess_api_audit.log
Records PingAccess administrative API transactions. These transactions represent activity in the PingAccess administrative console. This log also records transaction activity if you are using scripts to configure PingAccess.
pingaccess_agent_audit.log
Records transactions between PingAccess Agents and the PingAccess Engine.
pingaccess_sideband_client_audit.log
Records transactions sent to and from the sideband client integration.
pingaccess_sideband_audit.log
Records the end-user transaction captured by the sideband client request.
Audit log configuration
Item Description
%d Transaction time.
exchangeId Identifies the ID for a specific request/response pair.
AUDIT.applicationID Specifies the ID of the requested application.
AUDIT.applicationName Specifies the name of the requested application.
AUDIT.resourceID Specifies the ID of the requested resource.
AUDIT.resourceName Specifies the name of the requested resource.
AUDIT.pathPrefix Specifies the path prefix of the requested application or resource.
AUDIT.pathPrefixType Indicates the pattern type of the path prefix, Wildcard or Regex.
AUDIT.authMech Mechanism used for authentication. Engine Auditing - Cookie (WAM session), OAuth, unknown (for example, pass-through or static assets). Pass-through assets are resources with no policies or web session configured. Admin Auditing - Basic, OAuth, Cookie, unknown ( unknown displays only in an authentication failure).
AUDIT.client IP address of the requesting client.
AUDIT.failedRuleName Name of the rule that failed. If no rule failure occurred, this field is blank. This element is applicable only to the pingaccess_engine_audit.log.
AUDIT.failedRuleType Type of rule that failed. If no rule failure occurred, this field is blank. This element is applicable only to the pingaccess_engine_audit.log.
AUDIT.failedRuleClass The Java class of rule that failed. If no rule failure occurred, this field is blank. This element is applicable only to the pingaccess_engine_audit.log.
AUDIT.failedRuleSetName Name of the containing rule set that failed. If no rule failure occurred, this field is blank. This element is applicable only to the pingaccess_engine_audit.log.
AUDIT.host PingAccess host name or IP address.
AUDIT.targetHost Backend target that processed the request and generated a response to the PingAccess engine. This variable is unset when the response is generated by PingAccess directly.
AUDIT.method HTTP method of the request. For example, GET.
AUDIT.resource Name of the resource used to fulfill the request. This element is applicable only to the pingaccess_engine_audit.log.
AUDIT.responseCode HTTP status code of the response. For example, 200.
AUDIT.requestUri Request URI portion of the request (for example, /foo/bar).
AUDIT.subject Subject of the transaction.
AUDIT.trackingId The PingFederate tracking ID. This element can be used to help correlate audit information in the PingAccess audit log with information recorded in the PingFederate audit log.

The value of this depends on whether the application type is Web or API.

If the application type is Web, the value is presented as tid:<Session_Identifier>. The <Session_Identifier> can be used by the PingFederate Session Revocation API to revoke the session without disabling the user in the identity store.

If the application type is API, the value is presented as atid:<Hash>. The <Hash> value is derived from the OAuth Access token for the session, and only serves as an identifier; it cannot be used for session revocation.

AUDIT.reqReceivedMillisec Time in milliseconds since 1970 that a client request was first received
AUDIT.reqSentMillisec Time in milliseconds since 1970 that the agent or engine sent a backchannel or proxy request
AUDIT.respReceivedMillisec Time in milliseconds since 1970 that the agent or engine received a response from a backchannel call or proxy request
AUDIT.respSentMillisec Time in milliseconds since 1970 that a response was sent back to the client
AUDIT.roundTripMS The respSentMillisec time minus the reqReceivedMillisec time. This represents the total number of milliseconds it took PingAccess to respond to a client’s request including the proxyRoundTripMS.
AUDIT.proxyRoundTripMS The respReceivedMillisec time minus the reqSentMillisec time. This represents the total number of milliseconds PingAccess was waiting for another entity to respond to a backchannel call or proxy request.
AUDIT.siteUnavailableInfo If a site is unavailable, this is reason why the last attempted site target is unavailable.
AUDIT.agentName The name of the agent.
AUDIT.responder The component that generated the response. Valid values are PingAccess, Site, Third Party Service, OpenID Provider, and Authorization Server.
AUDIT.clientCertSerialNum The serial number of the client certificate.
AUDIT.clientCertSubjectDn The subject of the client certificate as an X.500 domain name.
AUDIT.clientCertIssuerDn The issuer of the client certificate as an X.500 domain name.
AUDIT.sidebandName The name of the requesting sideband client.
AUDIT.sidebandDecision The policy decision returned in response to the sideband client request. Valid values are 'accept' and 'reject'.
agent{a-header-value-key} The vnd-pi-agent header value for a given key. Represents the header value that an agent sends to PingAccess. Well-known keys are:
  • h – The hostname of the server where the agent resides.
  • t – The type of agent and/or the type of platform where the agent resides.
  • v – The version of the agent making the request.

This information is not sent by default. See Agent inventory logging for more information about logging this information.

appRequestHeader{a-header-name} HTTP request header value for the given HTTP request header name. Represents the header value that PingAccess sends to the back end site.
appResponseHeader{a-header-name} HTTP response header value for the given HTTP request header name. Represents the header value received from the application.
clientRequestHeader{a-header-name} HTTP request header value for the given HTTP request header name. Represents the header value received from the client.
clientResponseHeader{a-header-name} HTTP response header value for the given HTTP request header name. Represents the header value returned to the client.
Note: To get information about the timing for back channel calls, such as the OIDC UserInfo endpoint call, use the exchangeID property to match related log entries and the AUDIT.roundTripMS and AUDIT.proxyroundTripMS properties to view the timing.