attack.log for Splunk - PingIntelligence for APIs - 5.1

Edit the pingidentity/dataengine/config/dataengine.properties file to send the attack data to attack.log. By default syslog is configured. To send the attack data to attack.log, edit the dataengine.properties file as shown in the snippet below:

### Log4j2
# publish attacks to Log4j2. Valid values true or false
# By default it provides syslog support
publish.log4j2.enable=true
# log4j2 config file to log attacks to an external service. For example, Syslog
# use com.pingidentity.abs.publish as logger name in log4j2 configuration
log4j2.config=config/attack_log.xml
# log4j2 log level for attack logging
log4j2.log.level=INFO
# directory for any log4j2 config dependency jar's.
# useful for third party log4j2 appenders
# it should be a directory
log4j2.dependencies.dir=plugins/

attack_log.xml: Following is a snippet of the attack_log.xml. The attack_log.xml produces attack.log that is consumed by Splunk. The attack.log captures the attack data in a JSON format.

<?xml version="1.0" encoding="UTF-8"?>
<Configuration name="APIIntelligence" packages="" status="warn">
  <Appenders>
    <RollingFile name="attack_log" append="true" fileName="${sys:dashboard.rootdir}/logs/attack.log"
      filePattern="logs/attack.log.%d{yyyy-MM-dd}" immediateFlush="true" >
      <PatternLayout>
        <Pattern>pi-attack-info-%m%n</Pattern>
      </PatternLayout>
      <Policies>
        <TimeBasedTriggeringPolicy/>
      </Policies>
    </RollingFile>
  </Appenders>

  <!-- Attacks are logged to logger with name com.pingidentity.abs.publish
       There should be at least one logger with name com.pingidentity.abs.publish
       It is better to set additivity="false" so that same attacks will not be logged in dashboard.log -->

  <Loggers>
    <Logger additivity="false" level="info" name="com.pingidentity.abs.publish">

      <AppenderRef ref="attack_log"/>
    </Logger>
  </Loggers>
</Configuration>