These scripts are located in the <pf_install>/pingfederate/server/default/conf/log4j/sql-scripts directory.


PingFederate has been tested with vendor-specific JDBC 4.2 drivers. For more information, see Database driver information. To obtain your database driver JAR file, contact your database vendor. Database driver file should be installed to the <pf_install>/pingfederate/server/default/lib directory. You must restart the server after installing the driver.

Failover file logging is provided in the event that database logging fails for any reasons. By default, PingFederate retries database logging every minute. Messages written to log files during failover periods are not copied over to the database server.

You enable database logging for the audit log, the provisioner audit log, the provisioner log, and the server log in the log4j2.xml file.

  1. Edit <pf_install>/pingfederate/server/default/conf/log4j2.xml.
  2. Under the Preserve messages in a local file section, for each log that you want to enable database logging, uncomment the preset JDBC appender configuration based on the choice of your database server.
    Audit log
    • SecurityAuditToMySQLDB (for Oracle MySQL)
    • SecurityAuditToOracleDB (for Oracle Database)
    • SecurityAuditToPostgreSQLDB (for PostgreSQL)
    • SecurityAuditToSQLServerDB (for Microsoft SQL Server)
    Provisioner audit log
    • OutboundProvisionerEventToMySQLDB (for Oracle MySQL)
    • OutboundProvisionerEventToOracleDB (for Oracle Database)
    • OutboundProvisionerEventToPostgreSQLDB (for PostgreSQL)
    • OutboundProvisionerEventToSQLServerDB (for Microsoft SQL Server)
    Provisioner log
    • ProvisionerLogToMySQLDB (for Oracle MySQL)
    • ProvisionerLogToOracleDB (for Oracle Database)
    • ProvisionerLogToPostgreSQLDB (for PostgreSQL)
    • ProvisionerLogToSQLServerDB (for Microsoft SQL Server)
    Server log
    • ServerLogToMySQLDB (for Oracle MySQL)
    • ServerLogToOracleDB (for Oracle Database)
    • ServerLogToPostgreSQLDB (for PostgreSQL)
    • ServerLogToSQLServerDB (for Microsoft SQL Server)

    Each JDBC appender is followed by two related appenders: PingFailover and RollingFile. Together, they create a running *-failover.log file in the log directory in the event that database logging fails for any reasons. Both appenders must also be enabled (uncommented).


    Review inline comments and notes in the log4j2.xml file for more information about each appender.

  3. Replace placeholder parameter values in in the same conf directory for the applicable JDBC servers.
    The parameter values provide access to the database. Test and validate access prior to production deployment. Like log4j2.xml, is also individually managed per PingFederate server. This flexibility allows multiple PingFederate nodes in a clustered environment to write messages to different destinations (as needed).

    You can obfuscate the password used to access the database by running the obfuscate utility, located in the <pf_install>/pingfederate/bin directory: obfuscate.bat for Windows or for Linux. Use the actual password as an argument and copy the entire result into the value for the password parameter in

  4. Uncomment the appender reference (<AppenderRef/>) in the associated logger elements, as described inline in the log4j2.xml file:
    Audit log
    Uncomment the corresponding PingFailover appender references from the following Logger elements located under the Loggers section:
    • org.sourceid.websso.profiles.sp.SpAuditLogger (Browser SSO SP and adapter-to-adapter)
    • org.sourceid.websso.profiles.idp.IdpAuditLogger (Browser SSO IdP and adapter-to-adapter)
    • org.sourceid.websso.profiles.idp.AsAuditLogger (OAuth authorization server)
    • org.sourceid.websso.profiles.idp.ClientRegistrationAuditLogger (Dynamic Client Registration)
    • org.sourceid.wstrust.log.STSAuditLogger (WS-Trust STS, IdP and/or SP)
    Provisioner audit log
    Uncomment the corresponding PingFailover appender reference from the ProvisionerAuditLogger Logger element located under the Set up the Outbound provisioner audit logger section.
    Provisioner log
    Uncomment the corresponding PingFailover appender reference from the com.pingidentity.provisioner AsyncLogger element located under the Loggers section.
    Server log
    Uncomment the corresponding PingFailover appender reference from the root element located under the Set up the Root Logger section (near the end of the file).

    As indicated in the IMPORTANT comments for the loggers, you must also remove some of the existing appender references.

  5. Optional: For the audit log and the provisioner audit log, you can configure elements for database logging in the ConversionPattern appender parameter, as needed.