---
title: Audits and logs
description: For security, troubleshooting, and regulatory compliance, agents are able to audit information for allowed and/or denied requests.
component: web-agents
version: 2025.11
page_id: web-agents:security-guide:audit-log
canonical_url: https://docs.pingidentity.com/web-agents/2025.11/security-guide/audit-log.html
section_ids:
  audit: Audit trails
  log: Log files
  ssl-key-log-file: SSL key log file
---

# Audits and logs

## Audit trails

For security, troubleshooting, and regulatory compliance, agents are able to audit information for allowed and/or denied requests.

The agent audit logging service adheres to the log structure common across the Ping Advanced Identity Software. Learn more in [Audit the deployment](../maintenance-guide/auditing.html).

Web Agent supports propagation of the transaction ID across the Ping Advanced Identity Software, using the HTTP header `X-ForgeRock-TransactionId`. Consider configuring this header to prevent malicious actors from flooding the system with requests using the same transaction ID header to hide their tracks. Learn more in [Trust transaction headers](https://docs.pingidentity.com/pingam/8/security/implementing-audit.html#configuring-trusttransactionheader-system-property) in AM's *Security guide*.

## Log files

Agent logs contain informational, error, and warning events, to troubleshoot and debug transactions and events that take place within the agent instance.

Protect logs from unauthorized access, and make sure they contain a minimum of sensitive or personally identifiable information that could be used in attacks.

Make sure [Agent Debug Level](../properties-reference/com.sun.identity.agents.config.debug.level.html) is set to the lowest level of logging necessary. For example, consider logging at the `ERROR` or `WARNING` level, instead of `TRACE` or `MESSAGE`. Learn more in [logging configuration properties](../properties-reference/preface.html#debug_logs).

## SSL key log file

The SSL key log file contains potentially sensitive TLS transaction data. Protect this file from unauthorized access.

Only enable TLS logging when troubleshooting TLS issues between the agent and AM, and remove the SSL key log file after you have completed troubleshooting. Learn more in [TLS key logging](../maintenance-guide/troubleshooting.html#tls-key-logging).