You can write the audit log in Common Event Format (CEF) in PingFederate.
- Edit <pf_install>/pingfederate/server/default/conf/log4j2.xml.
-
Under the
Security Audit log : CEF Formatted syslog appender
section, uncomment one of the preset appender configurations:-
SecurityAuditToCEFSyslog
- aSocket
appender -
SecurityAuditToCEFFile
- aRollingFile
appender
Note:The
SecurityAuditToCEFSyslog
Socket
appender is followed by two related appenders,PingFailover
andRollingFile
. Together, they create a running audit-cef-syslog-failover.log file in the log directory in the event that CEF logging fails for any reason. Both appenders must also be enabled and uncommented.Tip:Review inline comments and notes in the log4j2.xml file for more information about each appender.
-
-
If you are configuring the
SecurityAuditToCEFSyslog
Socket
appender, replace the placeholder parameter values for the syslog host. -
If you are configuring the
SecurityAuditToCEFSyslog
Socket
appender. uncomment thePingFailover
appender reference (<appender-ref ref="SecurityAuditToCEFSyslog-FAILOVER"/>
) from the followingLogger
elements located under theLoggers
section:- Browser SSO SP and adapter-to-adapter -
org.sourceid.websso.profiles.sp.SpAuditLogger
- Browser SSO IdP and adapter-to-adapter -
org.sourceid.websso.profiles.idp.IdpAuditLogger
- OAuth authorization server -
org.sourceid.websso.profiles.idp.AsAuditLogger
- Dynamic Client Registration -
org.sourceid.websso.profiles.idp.ClientRegistrationAuditLogger
- WS-Trust STS, identity provider (IdP), and service provider (SP) -
org.sourceid.wstrust.log.STSAuditLogger
Important:As indicated in the IMPORTANT comments for the loggers, you must also remove some of the existing appender references.
- Browser SSO SP and adapter-to-adapter -