The PingAccess audit logs record a selected subset of transaction log information at runtime plus additional details, intended to facilitate security auditing and regulatory compliance.
The logs are located in PA_HOME/log/. Elements recorded in these logs are described in the table below, and are configured in conf/log4j2.xml.
Because log files can be viewed or modified using a variety of common applications, it is possible for log files to be manipulated to include untrusted or malicious data. Administrators should take appropriate steps to secure these files. Do not open these files in applications that could allow for data execution, such as internet browsers or Microsoft Office products. Instead, open these files in a common, lightweight text editor.
PingAccess generates these audit logs:
- pingaccess_engine_audit.log
- Records transactions of configured resources. Additionally, the log records transaction details when PingAccess sends requests to PingFederate, for example, Security Token Service (STS), OAuth2, and JSON Web Signature (JWS).
- pingaccess_api_audit.log
- Records PingAccess administrative API transactions. These transactions represent activity in the PingAccess administrative console. This log also records transaction activity if you are using scripts to configure PingAccess.
- pingaccess_agent_audit.log
- Records transactions between PingAccess Agents and the PingAccess Engine.
- pingaccess_sideband_client_audit.log
- Records transactions sent to and from the sideband client integration.
- pingaccess_sideband_audit.log
- Records the end-user transaction captured by the sideband client request.
| Item | Description |
|---|---|
|
|
Transaction time. |
|
|
Identifies the ID for a specific request/response pair. |
|
|
Specifies the ID of the requested application. |
|
|
Specifies the name of the requested application. |
|
|
Specifies the ID of the requested resource. |
|
|
Specifies the name of the requested resource. |
|
|
Specifies the path prefix of the requested application or resource. |
|
|
Indicates the pattern type of the path prefix,
|
|
|
Mechanism used for authentication. Engine Auditing - Cookie (WAM session), OAuth, unknown (for example, pass-through or static assets). Pass-through assets are resources with no policies or web session configured. Admin Auditing - Basic, OAuth, Cookie, unknown ( unknown displays only in an authentication failure). |
|
|
IP address of the requesting client. |
|
|
Name of the rule that failed. If no rule failure occurred, this field is blank. This element is applicable only to the pingaccess_engine_audit.log. |
|
|
Type of rule that failed. If no rule failure occurred, this field is blank. This element is applicable only to the pingaccess_engine_audit.log. |
|
|
The Java class of rule that failed. If no rule failure occurred, this field is blank. This element is applicable only to the pingaccess_engine_audit.log. |
|
|
Name of the containing rule set that failed. If no rule failure occurred, this field is blank. This element is applicable only to the pingaccess_engine_audit.log. |
|
|
PingAccess host name or IP address. |
|
|
Backend target that processed the request and generated a response to the PingAccess engine. This variable is unset when the response is generated by PingAccess directly. |
|
|
HTTP method of the request. For example, GET. |
|
|
Name of the resource used to fulfill the request. This element is applicable only to the pingaccess_engine_audit.log. |
|
|
HTTP status code of the response. For example, 200. |
|
|
Request URI portion of the request (for example, /foo/bar). |
|
|
Subject of the transaction. |
|
|
The PingFederate tracking ID. This element can be used to help correlate audit information in the PingAccess audit log with information recorded in the PingFederate audit log. The value of this depends on whether the application type is
If the application type is If the application type is |
|
|
Time in milliseconds since 1970 that a client request was first received. |
|
|
Time in milliseconds since 1970 that the agent or engine sent a backchannel or proxy request. |
|
|
Time in milliseconds since 1970 that the agent or engine received a response from a backchannel call or proxy request. |
|
|
Time in milliseconds since 1970 that a response was sent back to the client. |
|
|
The respSentMillisec time minus the reqReceivedMillisec time. This represents the total number of milliseconds it took PingAccess to respond to a client’s request including the proxyRoundTripMS. |
|
|
The respReceivedMillisec time minus the reqSentMillisec time. This represents the total number of milliseconds PingAccess was waiting for another entity to respond to a backchannel call or proxy request. |
|
|
If a site is unavailable, this is reason why the last attempted site target is unavailable. |
|
|
The name of the agent. |
|
|
The component that generated the response. Valid values are
|
|
|
The serial number of the client certificate. |
|
|
The subject of the client certificate as an X.500 domain name. |
|
|
The issuer of the client certificate as an X.500 domain name. |
|
|
The name of the requesting sideband client. |
|
|
The policy decision returned in response to the sideband client request. Valid values are 'accept' and 'reject'. |
|
|
The
This information is not sent by default. See Agent inventory logging for more information about logging this information. |
|
|
HTTP request header value for the given HTTP request header name. Represents the header value that PingAccess sends to the back end site. |
|
|
HTTP response header value for the given HTTP request header name. Represents the header value received from the application. |
|
|
HTTP request header value for the given HTTP request header name. Represents the header value received from the client. |
|
|
HTTP response header value for the given HTTP request header name. Represents the header value returned to the client. |
exchangeID property to match
related log entries and the AUDIT.roundTripMS and
AUDIT.proxyroundTripMS properties to view the timing.