Configure for attack.log

Edit the pingidentity/dashboard/config/ file to send the attack data to attack.log. By default syslog is configured. To send the attack data to attack.log, edit the file as shown in the snippet below:
### Log4j2
# publish attacks to Log4j2. Valid values true or false
# By default it provides syslog support
# log4j2 config file to log attacks to an external service. For example, Syslog
# use com.pingidentity.abs.publish as logger name in log4j2 configuration
# log4j2 log level for attack logging
# directory for any log4j2 config dependency jar's.
# useful for third party log4j2 appenders
# it should be a directory
attack_log.xml: Following is a snippet of the attack_log.xml. The attack_log.xml produces attack.log that is consumed by Splunk. The attack.log captures the attack data in a JSON format.
<?xml version="1.0" encoding="UTF-8"?>
<Configuration name="APIIntelligence" packages="" status="warn">
    <RollingFile name="attack_log" append="true" fileName="${sys:dashboard.rootdir}/logs/attack.log"
      filePattern="logs/attack.log.%d{yyyy-MM-dd}" immediateFlush="true" >

  <!-- Attacks are logged to logger with name com.pingidentity.abs.publish
       There should be at least one logger with name com.pingidentity.abs.publish
       It is better to set additivity="false" so that same attacks will not be logged in dashboard.log -->

    <Logger additivity="false" level="info" name="com.pingidentity.abs.publish">

      <AppenderRef ref="attack_log"/>

The attack data is published to a Log4j logger named com.pingidentity.abs.publish. The Log4j configuration file must have a logger named com.pingidentity.abs.publish. Any Log4j2 config file that wants to capture attack data from Dashboard must have at least one logger with name com.pingidentity.abs.publish.