Traffic logging reference - PingAccess

Traffic logging reference - PingAccess - 7.2

PingAccess

bundle

pingaccess-72

ft:publication_title

PingAccess

Product_Version_ce

PingAccess 7.2

Element hierarchy

Each section described here has child elements. If there is a disagreement in settings, the most specific setting is used.

For example, if the metadata element is set to false but the exchange ID is set to true, only the exchange ID is logged. If the metadata element is set to true but the exchange ID is set to false, all metadata elements except the exchange ID are logged.

Limitations

The traffic logs have the following limitations:

If a request or response body is chunked, only the first chunk is logged by traffic logging.
Request and response bodies are not decoded.

Metadata elements

You can include metadata elements in the API, engine, and audit traffic logs. These elements provide general information about the logged event.

Metadata element descriptions

Metadata element descriptions
Item	Description
`AUDIT.metadata`	The section setting for all metadata elements.
`AUDIT.exchangeId`	Identifies the ID for a specific request-response pair.
`AUDIT.applicationId`	Specifies the ID of the requested application.
`AUDIT.applicationName`	Specifies the name of the requested application.
`AUDIT.resourceId`	Specifies the ID of the requested resource.
`AUDIT.resourceName`	Specifies the name of the requested resource.
`AUDIT.pathPrefix`	Specifies the path prefix of the requested application or resource.
`AUDIT.pathPrefixType`	Indicates the pattern type of the path prefix, `Wildcard` or `Regex`.
`AUDIT.authMech`	The mechanism used for authentication: Engine Auditing `Cookie` (WAM session), `OAuth`, `unknown` (for example, pass-through or static assets). Pass-through assets are resources with no policies or web session configured. Admin Auditing `Basic`, `OAuth`, `Cookie`, `unknown` ( `unknown` displays only in an authentication failure).
`AUDIT.client`	The IPIP (Internet Protocol) The method by which data is sent across the Internet from the source host to the destination host. address of the requesting client.
`AUDIT.failedRuleName`	The name of the rule that failed. If there was no rule failure, this field is blank. Note: This element is applicable only to the engine log.
`AUDIT.failedRuleType`	Type of rule that failed. If there was no rule failure, this field is blank. Note: This element is applicable only to the engine log.
`AUDIT.failedRuleClass`	The Java class of rule that failed. If there was no rule failure, this field is blank. Note: This element is applicable only to the engine log.
`AUDIT.failedRuleSetName`	Name of the containing rule set that failed. If there was no rule failure, this field is blank. Note: This element is applicable only to the engine log.
`AUDIT.host`	The PingAccess host name or IP address.
`AUDIT.targetHost`	The backend target that processed the request and generated a response to the PingAccess engine. This variable is unset when the response is generated by a target host protected by PingAccess.
`AUDIT.resource`	The name of the resource used to fulfill the request. Note: This element is applicable only to the engine log.
`AUDIT.subject`	The subject of the transaction.
`AUDIT.trackingId`	The PingFederate tracking ID. You can use this element to help correlate audit information in the PingAccess audit log with information recorded in the PingFederate audit log. This value depends on whether the application type is `Web` or `API`. If the application type is `Web`, the value is presented as `tid:<Session_Identifier>`. The `<Session_Identifier>` can be used by the PingFederate Session Revocation API to revoke the session without disabling the user in the identity store. If the application type is `API`, the value is presented as `atid:<Hash>`. The `<Hash>` value is derived from the OAuth Access token for the session, and only serves as an identifier; it can't be used for session revocation.

The following example shows the metadata section with all elements set to true.

                <!-- AUDIT.metadata is the section setting for the following fields: -->
                <!-- AUDIT.exchangeId to AUDIT.trackingId -->
                <KeyValuePair key=”AUDIT.metadata” value=”true”/>
                <KeyValuePair key=”AUDIT.exchangeId” value=”true”/>
                <KeyValuePair key=”AUDIT.applicationId” value=”true”/>
                <KeyValuePair key=”AUDIT.applicationName” value=“true”/>
                <KeyValuePair key=”AUDIT.resourceId” value=”true”/>
                <KeyValuePair key=”AUDIT.resourceName” value=”true”/>
                <KeyValuePair key=”AUDIT.pathPrefix” value=”true”/>
                <KeyValuePair key=”AUDIT.pathPrefixType” value=”true”/>
                <KeyValuePair key=”AUDIT.authMech” value=”true”/>
                <KeyValuePair key=”AUDIT.client” value=”true”/>
                <KeyValuePair key=”AUDIT.failedRuleName” value=”true”/>
                <KeyValuePair key=”AUDIT.failedRuleType” value=”true”/>
                <KeyValuePair key=”AUDIT.failedRuleClass” value=”true”/>
                <KeyValuePair key=”AUDIT.failedRuleSetName” value=”true”/>
                <KeyValuePair key=”AUDIT.host” value=”true”/>
                <KeyValuePair key=”AUDIT.targetHost” value=”true”/>
                <KeyValuePair key=”AUDIT.resource” value=”true”/>
                <KeyValuePair key=”AUDIT.subject” value=”true”/>
                <KeyValuePair key=”AUDIT.trackingId” value=”true”/>

HTTP client elements

Client elements provide information about requests made to PingAccess by clients and the response sent back to the client. For example, a user making a call to the PingAccess administrative API is considered client traffic.

Note:

You can include client elements in the API, engine, and audit traffic logs.

HTTP client element descriptions

HTTP client element descriptions
Item	Description
`AUDIT.http-client`	The section setting for all client elements.
`AUDIT.http-client-started-date-time`	The date and time of the beginning of the request.
`AUDIT.http-client-time`	The total elapsed time of the request and response.
`AUDIT.http-client-request-method`	The method used in the request.
`AUDIT.http-client-request-target`	The portion of the URLURLURL (Uniform Resource Locator) Identifies a resource according to its Internet location. after the host and port.
`AUDIT.http-client-request-http-version`	The HTTP version used by the request.
`AUDIT.http-client-request-cookies`	A list of all the cookies in the request. This is the parent element for `AUDIT.http-client-request-cookie-{cookie}`.
`AUDIT.http-client-request-cookie-{cookie}`	Information about the request cookie with the specified name. You can include this element multiple times for different cookie names.
`AUDIT.http-client-request-headers`	A list of all the headers in the request. This is the parent element for `AUDIT.http-client-request-header-{header}`.
`AUDIT.http-client-request-header-{header}`	Information about the request header with the specified name. You can include this element multiple times for different header names.
`AUDIT.http-client-request-query-strings`	A list of all the parameters and values parsed from the request query string. This is the parent element for `AUDIT.http-client-request-query-string-{query}`.
`AUDIT.http-client-request-query-string-{query}`	Information about the request query string with the specified name. You can include this element multiple times for different query string names.
`AUDIT.http-client-request-post-data-mime-type`	The mime type of the posted request data.
`AUDIT.http-client-request-post-data-text`	The posted request data in plain text format.
`AUDIT.http-client-request-headers-size`	The size, in bytes, of the header from the start of the request to the body.
`AUDIT.http-client-request-body-size`	The size, in bytes, of the request body.
`AUDIT.http-client-response-status-code`	The response status code.
`AUDIT.http-client-response-status-text`	The response status description.
`AUDIT.http-client-response-http-version`	The HTTP version used by the response.
`AUDIT.http-client-response-cookies`	A list of all the cookies in the response. This is the parent element for `AUDIT.http-client-response-cookie-{cookie}`.
`AUDIT.http-client-response-cookie-{cookie}`	Information about the response cookie with the specified name. You can include this element multiple times for different cookie names.
`AUDIT.http-client-response-headers`	A list of all the headers in the response. This is the parent element for `AUDIT.http-client-response-header-{header}`.
`AUDIT.http-client-response-header-{header}`	Information about the response header with the specified name. You can include this element multiple times for different header names.
`AUDIT.http-client-response-content-size`	The size, in bytes, of the response content.
`AUDIT.http-client-response-content-mime-type`	The mime type of the response content.
`AUDIT.http-client-response-content-text`	The response body.
`AUDIT.http-client-response-redirect-url`	The redirect target URL from the location response header.
`AUDIT.http-client-response-headers-size`	The size, in bytes, of the header from the start of the response to the body.
`AUDIT.http-client-response-body-size`	The size, in bytes, of the response body.

The following example shows the client section with all elements set to true.

                <!-- AUDIT.http-client is the section setting for the following fields: -->
                <!-- AUDIT.http-client-started-date-time to AUDIT.http-client-response-body-size -->
                <KeyValuePair key=”AUDIT.http-client” value=”true”/>
                <KeyValuePair key=”AUDIT.http-client-started-date-time” value=”true”/>
                <KeyValuePair key=”AUDIT.http-client-time” value=”true”/>
                <KeyValuePair key=”AUDIT.http-client-request-method” value=”true”/>
                <!-- Note: “AUDIT.http-client-request-target” is the target part of the url -->
                <KeyValuePair key=”AUDIT.http-client-request-target” value=”true”/>
                <KeyValuePair key=”AUDIT.http-client-request-http-version” value=”true”/>
                <!-- Sets the default value for all client request cookies. -->
                <!-- This overrides AUDIT.http-client and is overridden by individual cookie values. -->
                <KeyValuePair key=”AUDIT.http-client-request-cookies” value=”true”/>
                <KeyValuePair key=”AUDIT.http-client-request-cookie-{cookie}” value=”true”/>
                <!-- Sets the default value for all client request headers. -->
                <!-- This overrides AUDIT.http-client and is overridden by individual header values. -->
                <KeyValuePair key=”AUDIT.http-client-request-headers” value=”true”/>
                <KeyValuePair key=”AUDIT.http-client-request-header-{header}” value=”true”/>
                <!-- Sets the default value for all client request query strings. -->
                <!-- This overrides AUDIT.http-client and is overridden by individual query strings. -->
                <KeyValuePair key=”AUDIT.http-client-request-query-strings” value=”true”/>
                <KeyValuePair key=”AUDIT.http-client-request-query-string-{query}” value=”true”/>
                <KeyValuePair key=”AUDIT.http-client-request-post-data-mime-type” value=”true”/>
                <KeyValuePair key=”AUDIT.http-client-request-post-data-text” value=”true”/>
                <KeyValuePair key=”AUDIT.http-client-request-headers-size” value=”true”/>
                <KeyValuePair key=”AUDIT.http-client-request-body-size” value=”true”/>
                <KeyValuePair key=”AUDIT.http-client-response-status-code” value=”true”/>
                <KeyValuePair key=”AUDIT.http-client-response-status-text” value=”true”/>
                <KeyValuePair key=”AUDIT.http-client-response-http-version” value=”true”/>
                <!-- Sets the default value for all client response cookies. -->
                <!-- This overrides AUDIT.http-client and is overridden by individual cookie values. -->
                <KeyValuePair key=”AUDIT.http-client-response-cookies” value=”true”/>
                <KeyValuePair key=”AUDIT.http-client-response-cookie-{cookie}” value=”true”/>
                <!-- Sets the default value for all client response headers. -->
                <!-- This overrides AUDIT.http-client and is overridden by individual header values. -->
                <KeyValuePair key=”AUDIT.http-client-response-headers” value=”true”/>
                <KeyValuePair key=”AUDIT.http-client-response-header-{header}” value=”true”/>
                <KeyValuePair key=”AUDIT.http-client-response-content-size” value=”true”/>
                <KeyValuePair key=”AUDIT.http-client-response-content-mime-type” value=”true”/>
                <KeyValuePair key=”AUDIT.http-client-response-content-text” value=”true”/>
                <KeyValuePair key=”AUDIT.http-client-response-redirect-url” value=”true”/>
                <KeyValuePair key=”AUDIT.http-client-response-headers-size” value=”true”/>
                <KeyValuePair key=”AUDIT.http-client-response-body-size” value=”true”/>

HTTP app elements

App elements provide information about requests made by PingAccess to other tools or services such as PingFederate, and the response sent back to PingAccess. For example, PingAccess making a call to a protected resource is considered app traffic.

Note:

You can include app elements in the engine and audit traffic logs.

HTTP app element descriptions

HTTP app element descriptions
Item	Description
`AUDIT.http-app`	The section setting for all app elements.
`AUDIT.http-app-started-date-time`	The date and time of the beginning of the request.
`AUDIT.http-app-time`	The total elapsed time of the request and response.
`AUDIT.http-app-request-method`	The method used in the request.
`AUDIT.http-app-request-target`	The portion of the URL after the host and port.
`AUDIT.http-app-request-http-version`	The HTTP version used by the request.
`AUDIT.http-app-request-cookies`	A list of all the cookies in the request. This is the parent element for `AUDIT.http-app-request-cookie-{cookie}`.
`AUDIT.http-app-request-cookie-{cookie}`	Information about the request cookie with the specified name. You can include this element multiple times for different cookie names.
`AUDIT.http-app-request-headers`	A list of all the headers in the request. This is the parent element for `AUDIT.http-app-request-header-{header}`.
`AUDIT.http-app-request-header-{header}`	Information about the request header with the specified name. You can include this element multiple times for different header names.
`AUDIT.http-app-request-query-strings`	A list of all the parameters and values parsed from the request query string. This is the parent element for `AUDIT.http-app-request-query-string-{query}`.
`AUDIT.http-app-request-query-string-{query}`	Information about the request query string with the specified name. You can include this element multiple times for different query string names.
`AUDIT.http-app-request-post-data-mime-type`	The mime type of the posted data.
`AUDIT.http-app-request-post-data-text`	The posted data in plain text format.
`AUDIT.http-app-request-headers-size`	The size, in bytes, of the header from the start of the request to the body.
`AUDIT.http-app-request-body-size`	The size, in bytes, of the request body.
`AUDIT.http-app-response-status-code`	The response status code.
`AUDIT.http-app-response-status-text`	The response status description.
`AUDIT.http-app-response-http-version`	The HTTP version used by the response.
`AUDIT.http-app-response-cookies`	A list of all the cookies in the response. This is the parent element for `AUDIT.http-app-response-cookie-{cookie}`.
`AUDIT.http-app-response-cookie-{cookie}`	Information about the response cookie with the specified name. You can include this element multiple times for different cookie names.
`AUDIT.http-app-response-headers`	A list of all the headers in the response. This is the parent element for `AUDIT.http-app-response-header-{header}`.
`AUDIT.http-app-response-header-{header}`	Information about the response header with the specified name. You can include this element multiple times for different header names.
`AUDIT.http-app-response-content-size`	The size, in bytes, of the response content.
`AUDIT.http-app-response-content-mime-type`	The mime type of the response content.
`AUDIT.http-app-response-content-text`	The response body.
`AUDIT.http-app-response-redirect-uri`	The redirect target URL from the location response header.
`AUDIT.http-app-response-headers-size`	The size, in bytes, of the header from the start of the response to the body.
`AUDIT.http-app-response-body-size`	The size, in bytes, of the response body.

The following example shows the app section with all elements set to true.

                <!-- AUDIT.http-app is the section setting for the following fields: -->
                <!-- AUDIT.http-app-started-date-time to AUDIT.http-app-response-body-size -->
                <KeyValuePair key=”AUDIT.http-app” value=”true”/>
                <KeyValuePair key=”AUDIT.http-app-started-date-time” value=”true”/>
                <KeyValuePair key=”AUDIT.http-app-time” value=”true”/>
                <KeyValuePair key=”AUDIT.http-app-request-method” value=”true”/>
                <!-- Note: “AUDIT.http-app-request-target” is the target part of the url -->
                <KeyValuePair key=”AUDIT.http-app-request-target” value=”true”/>
                <KeyValuePair key=”AUDIT.http-app-request-http-version” value=”true”/>
                <!-- Sets the default value for all app request cookies. -->
                <!-- This overrides AUDIT.http-app and is overridden by individual cookie values. -->
                <KeyValuePair key=”AUDIT.http-app-request-cookies” value=”true”/>
                <KeyValuePair key=”AUDIT.http-app-request-cookie-{cookie}” value=”true”/>
                <!-- Sets the default value for all app request headers. -->
                <!-- This overrides AUDIT.http-app and is overridden by individual header values. -->
                <KeyValuePair key=”AUDIT.http-app-request-headers” value=”true”/>
                <KeyValuePair key=”AUDIT.http-app-request-header-{header}” value=”true”/>
                <!-- Sets the default value for all app request query strings. -->
                <!-- This overrides AUDIT.http-app and is overridden by individual query strings. -->
                <KeyValuePair key=”AUDIT.http-app-request-query-strings” value=”true”/>
                <KeyValuePair key=”AUDIT.http-app-request-query-string-{query}” value=”true”/>
                <KeyValuePair key=”AUDIT.http-app-request-post-data-mime-type” value=”true”/>
                <KeyValuePair key=”AUDIT.http-app-request-post-data-text” value=”true”/>
                <KeyValuePair key=”AUDIT.http-app-request-headers-size” value=”true”/>
                <KeyValuePair key=”AUDIT.http-app-request-body-size” value=”true”/>
                <KeyValuePair key=”AUDIT.http-app-response-status-code” value=”true”/>
                <KeyValuePair key=”AUDIT.http-app-response-status-text” value=”true”/>
                <KeyValuePair key=”AUDIT.http-app-response-http-version” value=”true”/>
                <!-- Sets the default value for all app response cookies. -->
                <!-- This overrides AUDIT.http-app and is overridden by individual cookie values. -->
                <KeyValuePair key=”AUDIT.http-app-response-cookies” value=”true”/>
                <KeyValuePair key=”AUDIT.http-app-response-cookie-{cookie}” value=”true”/>
                <!-- Sets the default value for all app response headers. -->
                <!-- This overrides AUDIT.http-app and is overridden by individual header values. -->
                <KeyValuePair key=”AUDIT.http-app-response-headers” value=”true”/>
                <KeyValuePair key=”AUDIT.http-app-response-header-{header}” value=”true”/>
                <KeyValuePair key=”AUDIT.http-app-response-content-size” value=”true”/>
                <KeyValuePair key=”AUDIT.http-app-response-content-mime-type” value=”true”/>
                <KeyValuePair key=”AUDIT.http-app-response-content-text” value=”true”/>
                <KeyValuePair key=”AUDIT.http-app-response-redirect-uri” value=”true”/>
                <KeyValuePair key=”AUDIT.http-app-response-headers-size” value=”true”/>
                <KeyValuePair key=”AUDIT.http-app-response-body-size” value=”true”/>