Writing audit log in CEF - PingFederate - 10.3

PingFederate Server

bundle
pingfederate-103
ft:publication_title
PingFederate Server
Product_Version_ce
PingFederate 10.3
category
Product
pf-103
pingfederate
ContentType_ce

You can write the audit log in Common Event Format (CEF) in PingFederate.

  1. Edit <pf_install>/pingfederate/server/default/conf/log4j2.xml.
  2. Under the Security Audit log : CEF Formatted syslog appender section, uncomment one of the preset appender configurations:
    • SecurityAuditToCEFSyslog - a Socket appender
    • SecurityAuditToCEFFile - a RollingFile appender
    Note:

    The SecurityAuditToCEFSyslog Socket appender is followed by two related appenders, PingFailover and RollingFile. Together, they create a running audit-cef-syslog-failover.log file in the log directory in the event that CEF logging fails for any reason. Both appenders must also be enabled and uncommented.

    Tip:

    Review inline comments and notes in the log4j2.xml file for more information about each appender.

  3. If you are configuring the SecurityAuditToCEFSyslog Socket appender, replace the placeholder parameter values for the syslog host.
  4. If you are configuring the SecurityAuditToCEFSyslog Socket appender. uncomment the PingFailover appender reference (<appender-ref ref="SecurityAuditToCEFSyslog-FAILOVER"/>) from the following Logger elements located under the Loggers section:
    • Browser SSO SP and adapter-to-adapter - org.sourceid.websso.profiles.sp.SpAuditLogger
    • Browser SSO IdP and adapter-to-adapter - org.sourceid.websso.profiles.idp.IdpAuditLogger
    • OAuth authorization server - org.sourceid.websso.profiles.idp.AsAuditLogger
    • Dynamic Client Registration - org.sourceid.websso.profiles.idp.ClientRegistrationAuditLogger
    • WS-Trust STS, identity provider (IdP), and service provider (SP) - org.sourceid.wstrust.log.STSAuditLogger
    Important:

    As indicated in the IMPORTANT comments for the loggers, you must also remove some of the existing appender references.