PingFederate uses the Log4j 2 logging service to generate its log files.
Configurations are maintained in the log4j2.xml file, located in the <pf_install>/pingfederate/server/default/conf directory.
The log4j2.xml configuration file is individually managed per PingFederate server. This flexibility allows multiple PingFederate nodes to write different level of messages to different destinations.
If you want all PingFederate servers to use the same logging configuration, manually synchronize the log4j2.xml file across multiple PingFederate servers.
- Log levels and verbosity
- Log messages are categorized into six log levels:
-
FATAL
-
ERROR
-
WARN
-
INFO
-
DEBUG
-
TRACE
PingFederate only records messages tagged with log level
INFO
,WARN
,ERROR
, andFATAL
to the server log and the provisioner log. Messages withDEBUG
, orTRACE
tags, are not recorded to optimize performance. Console logging is also disabled for the same reason.For troubleshooting purposes, you can adjust the log level toDEBUG
in the log4j2.xml file and re-enable console logging.Important:When you no longer require debug messages and console logging, turn them off. On Windows, never highlight the console output because it might slow or stop PingFederate from processing requests.
For the audit log, the provisioner audit log, and the transaction log, any setting lower than
INFO
(WARN
,ERROR
, orFATAL
) turns logging off.For more information, see Enabling debug messages and console logging.
Changes, such as adding a
Logger
or adjusting log levels, are activated within half a minute. You do not need to restart PingFederate. -
- Fields (and attributes)
-
You can customize some logs, such as the audit log and the administrative API log, to log additional or less information by modifying their
pattern
elements. The log4j2.xml file documents available fields inline.Tip:You can configure PingFederate to log user attributes, if they are present, in the audit log, transaction log, and server log. When you require privacy for sensitive user attributes, select the corresponding check boxes under Mask Log Values to mask their values in these logs.
- Log formats
- The audit log and the provisioner audit log can be written in Common Event Format (CEF). Furthermore, the audit log can also be written in a format used in conjunction with Splunk and the Splunk App for PingFederate. The log4j2.xml file comes preset with configuration samples to ease the setup.
- Log destinations
- The audit log, the provisioner audit log, the provisioner log, and the server log can be written to databases. PingFederate installation includes setup scripts for various tables, located in the <pf_install>/pingfederate/server/default/conf/log4j/sql-scripts directory, and configuration samples in the log4j2.xml file.
- Log rotation
- Most PingFederate-generated log files roll over at midnight each day. The system keeps all of the resulting historical log files. Some log files, such as the audit.log file, the audit-event-detail.log file (if enabled), the provisioner-audit.log file (when applicable), and the transaction.log, can become quite large, depending on your production load and settings. You might want to back up or remove older files on a routine basis.
For more information about Log4j 2, see the Log4j 2 open-source project.