Push subscriptions stream audit events of the selected type to the HTTPS URL you specify.
The audit events pushed to the URL you specified will look similar to these samples:
Audit format
{ "source": "ADMINISTRATOR_LOGIN", "id": "8fd3d92f-7af2-11e8-b80d-0ec0fbebxxxx", "recorded": "2018-28-06T16:44:44.849Z", "action": { "type": "Password" }, "actors": [ { "type": "user", "name": "pcasso@pingidentity.com" } ], "resources": [], "client": { "id": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36", "ipAddress": "192.168.10.1, 172.138.206.50" }, "result": { "status": "SUCCESS", "message": "Password" } }
Splunk format
{ "event": { "source": "ADMINISTRATOR_LOGIN", "id": "44990ce5-7af4-11e8-b80d-0ec0fbebxxxx", "recorded": "2018-28-06T16:56:57.627Z", "action": { "type": "Password" }, "actors": [ { "type": "user", "name": "pcasso@pingidentity.com" } ], "resources": [], "client": { "id": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36", "ipAddress": "24.222.35.218, 172.18.26.54" }, "result": { "status": "SUCCESS", "message": "Password" } }, "host": "pingidentity.com", "time": 1530205017627, "source": "ADMINISTRATOR_LOGIN" }