Security audit logging - PingAccess

Security audit logging - PingAccess - 7.3

PingAccess

bundle

pingaccess-73

ft:publication_title

PingAccess

Product_Version_ce

PingAccess 7.3

category

Product

pa-73

pingaccess

ContentType_ce

PingAccess audit logs record a select subset of transaction log information at runtime plus additional details meant to facilitate security auditing and regulatory compliance.

You can find the audit logs in <PA_HOME>/log/. The audit log configuration table describes the elements that the audit logs record. You can configure these elements in conf/log4j2.xml.

Important:

Because log files can be viewed or modified using a variety of common applications, it's possible for log files to be manipulated to include untrusted or malicious data. You should take appropriate steps to secure your log files. Do not open them in applications that could allow for data execution, such as internet browsers or Microsoft Office products. Instead, open your log files in a common, lightweight text editor.

PingAccess generates these audit logs:

pingaccess_engine_audit.log: Records transactions of configured resources. Additionally, the log records transaction details when PingAccess sends requests to PingFederate. For example, Security Token Service (STS)Security Token Service (STS)STS An entity responsible for responding to WS-Trust requests for validation and issuance of security tokens used for SSO authentication to web services., OAuthOAuth A standard framework that enables an application (OAuth client) to obtain access tokens from an OAuth authorization server for the purpose of retrieving protected resources on a resource server. 2.0, and JSON Web Signature (JWS)JSON Web Signature (JWS)JWS A signed instance of a JSON Web Token (JWT) based on IETF standard syntax and used for the exchange of signed content. requests.
pingaccess_api_audit.log: Records PingAccess administrative APIapplication programming interface (API) A specification of interactions available for building software to access an application or service. transactions. These transactions represent activity in the PingAccess administrative console. This log also records transaction activity if you're using scripts to configure PingAccess.
pingaccess_agent_audit.log: Records transactions between PingAccess agents and the PingAccess engine.
pingaccess_sideband_client_audit.log: Records transactions sent to and from the sideband client integration.
pingaccess_sideband_audit.log: Records the end-user transactions that the sideband client request captures.

Audit log configuration

Audit log configuration
Element	Description
`%d`	Transaction time.
`exchangeId`	Identifies the ID for a specific request-response pair.
`AUDIT.applicationID`	Specifies the ID of the requested application.
`AUDIT.applicationName`	Specifies the name of the requested application.
`AUDIT.resourceID`	Specifies the ID of the requested resource.
`AUDIT.resourceName`	Specifies the name of the requested resource.
`AUDIT.pathPrefix`	Specifies the path prefix of the requested application or resource.
`AUDIT.pathPrefixType`	Specifies the pattern type of the path prefix, `Wildcard` or `Regex`.
`AUDIT.authMech`	The mechanism used for authentication: Engine Auditing `Cookie` (WAM session), `OAuth`, `unknown` (for example, pass-through or static assets). Pass-through assets are resources with no policies or web session configured. Admin Auditing `Basic`, `OAuth`, `Cookie`, `unknown` (`unknown` displays only in an authentication failure).
`AUDIT.client`	The IPIP (Internet Protocol) The method by which data is sent across the Internet from the source host to the destination host. address of the requesting client.
`AUDIT.failedRuleName`	The name of the rule that failed. If there was no rule failure, this field will be blank. Note: This element is applicable only to the pingaccess_engine_audit.log.
`AUDIT.failedRuleType`	The type of rule that failed. If there was no rule failure, this field will be blank. Note: This element is applicable only to the pingaccess_engine_audit.log.
`AUDIT.failedRuleClass`	The Java class of the rule that failed. If there was no rule failure, this field will be blank. Note: This element is applicable only to the pingaccess_engine_audit.log.
`AUDIT.failedRuleSetName`	The name of the containing rule set that failed. If there was no rule failure, this field will be blank. Note: This element is applicable only to the pingaccess_engine_audit.log.
`AUDIT.host`	The PingAccess host name or IP address.
`AUDIT.targetHost`	The backend target that processed the request and generated a response to the PingAccess engine. This variable is unset when PingAccess generated the response directly.
`AUDIT.method`	The HTTP method of the request. For example, `GET`.
`AUDIT.resource`	The name of the resource used to fulfill the request. Note: This element is applicable only to the pingaccess_engine_audit.log.
`AUDIT.responseCode`	The HTTP status code of the response. For example, `200`.
`AUDIT.requestUri`	The request URIURIURI (Uniform Resource Identifier) Identifies a web resource with a string of characters conforming to a specified format. portion of the request. For example, `/foo/bar`.
`AUDIT.subject`	The subject of the transaction.
`AUDIT.trackingId`	The PingFederate tracking ID. You can use this element to help correlate audit information in the PingAccess audit log with information recorded in the PingFederate audit log. This value depends on whether the application type is `Web` or `API`. If the application type is `Web`, the value is formatted as `tid:<Session_Identifier>`. The `<Session_Identifier>` can be used by the PingFederate Session Revocation API to revoke the session without disabling the user in the identity store. If the application type is `API`, the value is formatted as `atid:<Hash>`. The `<Hash>` value dervies from the OAuth Access token for the session, and only serves as an identifier; it can't be used for session revocation.
`AUDIT.reqReceivedMillisec`	The time in milliseconds since 1970 that a client request was first received.
`AUDIT.reqSentMillisec`	The time in milliseconds since 1970 that the agent or engine sent a backchannelbackchannel A direct, cross-domain communication path using a protocol that doesn't rely on a browser as an intermediary. or proxy request.
`AUDIT.respReceivedMillisec`	The time in milliseconds since 1970 that the agent or engine received a response from a backchannel call or proxy request.
`AUDIT.respSentMillisec`	The time in milliseconds since 1970 that a response was sent back to the client.
`AUDIT.roundTripMS`	The `respSentMillisec` time minus the `reqReceivedMillisec` time. This represents the total number of milliseconds that it took PingAccess to respond to a client’s request, including the `proxyRoundTripMS`.
`AUDIT.proxyRoundTripMS`	The `respReceivedMillisec` time minus the `reqSentMillisec` time. This represents the total number of milliseconds that PingAccess was waiting for another entity to respond to a backchannel call or proxy request.
`AUDIT.siteUnavailableInfo`	If a site is unavailable, this is reason why the last attempted site target is unavailable.
`AUDIT.agentName`	The name of the agent.
`AUDIT.responder`	The component that generated the response. Valid values are `PingAccess`, `PingOne`, `Site`, `Third Party Service`, `OpenID Provider`, and `Authorization Server`. Note: The `PingOne` responder type refers only to the PingOne Protect integration. When you're using PingOne as a token provider, PingAccess labels backchannel communications as either `OpenID Provider` or `Authorization Server`, depending on the context of the transaction.
`AUDIT.clientCertSerialNum`	The serial number of the client certificate.
`AUDIT.clientCertSubjectDn`	The subject of the client certificate as an X.500 domain name.
`AUDIT.clientCertIssuerDn`	The issuer of the client certificate as an X.500 domain name.
`AUDIT.sidebandName`	The name of the requesting sideband client.
`AUDIT.sidebandDecision`	The policy decision returned in response to the sideband client request. Valid values are `accept` and `reject`.
`agent{a-header-value-key}`	The `vnd-pi-agent` header value for a given key. This represents the header value that an agent sends to PingAccess. Well-known keys are: v The version of the agent that's making the request. h The host name of the server where the agent resides. t The type of agent or the type of platform where the agent resides. This information isn't sent by default. For more information about logging these details, see Agent inventory logging.
`appRequestHeader{a-header-name}`	The HTTP request header value for the given HTTP request header name. Represents the header value that PingAccess sends to the backend site.
`appResponseHeader{a-header-name}`	The HTTP response header value for the given HTTP request header name. Represents the header value that the application sent PingAccess.
`clientRequestHeader{a-header-name}`	The HTTP request header value for the given HTTP request header name. Represents the header value that the client sent PingAccess.
`clientResponseHeader{a-header-name}`	The HTTP response header value for the given HTTP request header name. Represents the header value that PingAccess returned to the client.

Note:

To get information about the timing for backchannel calls, such as the OpenID Connect (OIDC)OpenID Connect (OIDC)OIDC An authentication protocol built on top of OAuth that authenticates users and enables clients (relying parties) of all types to request and receive information about authenticated sessions and users. OIDC is extensible, allowing clients to use optional features such as encryption of identity data, discovery of OpenID Providers (OAuth authorization servers), and session management. UserInfo endpointendpoint One end in a communication channel, typically a URI. call, use the exchangeID property to match related log entries and the AUDIT.roundTripMS and AUDIT.proxyroundTripMS properties to view the timing.