PingFederate is an enterprise-grade identity federation server developed by Ping Identity. It enables secure authentication and authorization across applications, APIs, and organizations using standards like SAML, OAuth, and OpenID Connect. It is widely used for implementing Single Sign-On (SSO), federated identity, and security in large-scale environments.
For more detailed information refer to PingFederate’s official page.
Integration Method: Data Collector (Flat file)
Tables: Authentication (3002), Detection Finding (2004)
This integration supports the following events.
Event | Description |
|---|---|
Authentication logs | List of MFA authentications, auth attempts and auth failures. |
Security Alerts | List of security alerts logged in the server. |
This integration supports the following versions.
PingFederate | PingFederate >= 13.0 |
Prerequisites
The user should have administrator access to the device where the PingFederate 13.0 or higher is installed.
The user should have a compatible version of the system in which we can configure the data collector.
The user should have access to the DataBee console.
Configuration Overview
Update the Log4j.xml file of PingFederate to support JSON logs.
Create PingFederate Data Feed in the DataBee console.
Update the Log4j file to support JSON logs
PingFederate generates two types of logs that need to be configured for JSON output:
Audit Logs - Contains authentication events, SSO activities, and security audits
Server Logs - Contains application errors, exceptions, and system events
Step 1: Backup the Existing Configuration
PingFederate uses log4j as logging service. Before making any changes, create a backup of the Log4j configuration file. Make sure backup is taken.
Location: <pf_install>/pingfederate/server/default/conf/log4j2.xml
Replace the pf_install with the actual ping federate install location.
Ex: C:\Program Files\Ping Identity\pingfederate-13.0.1\pingfederate\server\default\conf\log4j2.xml
Step 2: Enable JSON Audit Logging
2.1 Configure the JSON Audit Appender
Open the log4j2.xml file in a text editor
Locate the <RollingFile> tag with the name attribute SecurityAudit2File-JSON
Ensure it is configured as follows:
<RollingFile name="SecurityAudit2File-JSON" fileName="${sys:pf.log.dir}/audit-json.log" filePattern="${sys:pf.log.dir}/audit-json.%d{yyyy-MM-dd}.log" ignoreExceptions="false"> <!-- All fields available in SecurityAudit2File can also be configured in the following Json Template --> <JsonTemplateLayout eventTemplateUri="${sys:pf.log4j.json.templates.uri}/runtime-audit-log.json"/> <Policies> <TimeBasedTriggeringPolicy maxRandomDelay="45"/> </Policies> </RollingFile>Key Configuration Details:
fileName - Path to the JSON audit log file
filePattern - Daily rotation pattern for log files
JsonTemplateLayout - Enables JSON output format
2.2 Enable Audit Logger References
Locate the following logger configurations and add/uncomment the JSON appender reference:
Logger 1: Service Provider (SP) Audit Logger
<Logger name="org.sourceid.websso.profiles.sp.SpAuditLogger" level="INFO" additivity="false"> <AppenderRef ref="SecurityAudit2File"/> <AppenderRef ref="SecurityAudit2File-JSON"/> <!-- Add or uncomment this line --> </Logger>Logger 2: Identity Provider (IdP) Audit Logger
<Logger name="org.sourceid.websso.profiles.idp.IdpAuditLogger" level="INFO" additivity="false"> <AppenderRef ref="SecurityAudit2File"/> <AppenderRef ref="SecurityAudit2File-JSON"/> <!-- Add or uncomment this line --> </Logger>Logger 3: Authorization Server (AS) Audit Logger
<Logger name="org.sourceid.websso.profiles.idp.AsAuditLogger" level="INFO" additivity="false"> <AppenderRef ref="SecurityAudit2File"/> <AppenderRef ref="SecurityAudit2File-JSON"/> <!-- Add or uncomment this line --> </Logger>What This Enables:
Multi-Factor Authentication (MFA) events
Authentication attempts (success and failure)
Single Sign-On (SSO) activities
Security-relevant authentication events
Step 3: Enable JSON Server Logging
Configure the JSON Server Appender. Locate or verify the <RollingFile> appender with name FILE-JSON:
<RollingFile name="FILE-JSON" fileName="${sys:pf.log.dir}/server-json.log" filePattern="${sys:pf.log.dir}/server-json.log.%i" ignoreExceptions="false"> <!-- All fields available in FILE can also be configured in the following Json Template --> <JsonTemplateLayout eventTemplateUri="${sys:pf.log4j.json.templates.uri}/server-log.json"/> <Policies> <SizeBasedTriggeringPolicy size="10000 KB"/> </Policies> <DefaultRolloverStrategy max="5"/> <createOnDemand>true</createOnDemand> </RollingFile>Key Configuration Details:
fileName - Path to the JSON server log file
SizeBasedTriggeringPolicy - Rotates log when it reaches 10MB
DefaultRolloverStrategy - Keeps maximum 5 rolled log files
Enable AsyncRoot Logger Reference. Locate the <AsyncRoot> logger configuration and add/uncomment the JSON appender reference:
<AsyncRoot level="INFO" includeLocation="false"> <AppenderRef ref="FILE"/> <AppenderRef ref="FILE-JSON"/> <!-- Add or uncomment this line --> </AsyncRoot>What This Enables:
Application errors and exceptions
Configuration changes
System warnings and critical events
Connection pool and session management issues
Step 4: Save and Restart PingFederate
Save the changes to log4j2.xml
Restart PingFederate service:
# Stop PingFederate
<pf_install>/pingfederate/bin/pf-shutdown.sh# Start PingFederate
<pf_install>/pingfederate/bin/pf-startup.shNote:
On Windows, use .bat instead of .sh
Wait for startup to complete (typically 30-60 seconds)
After startup verify the log files available at the <pf_install>/pingfederate/log/ location. Look for files with the below name formats,
audit-json.log
audit-json.{yyyy-mm-dd}.log
server-json.log
server-json.log.{number}
Data Collector Configuration and Installation
To receive events from PingFederate, a Data Collector must be installed and configured in the device where the PingFederate is installed. The data collector is used to fetch logs from files on on-prem environment and send data to DataBee securely.
Follow the steps provided in DataBee's official documentation to complete the configuration. Additionally, refer to this guide for detailed instructions on installing the Data Collector on your machine.
DataBee Configuration
Login to the DataBee UI, navigate to Data > Data Feeds and click the Add New Data Feed button.
Search for Ping Federate and click on it as shown below.
Click on the Data Collector option for collection method.
Click on the Flat File option as the polling mechanism.
Enter the feed contact information, select the collector that you have created from the drop down, and then scroll down.
In the configuration page, confirm the following, then scroll down.
Format: json
Refresh Interval (minutes): Set as per your requirement
Source Files: Add below patterns for audit and server log files,
<pf_install>\pinfederate\log\audit-json.*
<pf_install>\pinfederate\log\server-json.*
click on Submit.
Troubleshooting Tips
Issue: JSON Log Files Not Created
Possible Causes:
PingFederate not restarted after configuration changes
Syntax errors in log4j2.xml
Solution: Make sure log4j2.xml is correctly updated, if needed compare it with backup file. Make sure to restart PingFederate after changes.
If you encounter any issues regarding log forwarding, refer to the DataBee troubleshooting document for detailed guidance.