I'm trying to configure the Splunk App for PingFederate, but there doesn't seem to be and step-by-step instructions out there, or any instructions really.
I've got the Ping servers stood up, configured properly, and indexed and searchable in Splunk. However, there is no data showing up in the PingFederate app. I can't find a way to sync/feed the indexes/logs into the app.
Does anyone know how to setup this app properly?
Depending on where you are in your various installations, this
https://support.pingidentity.com/Configuring-PingFederate-with-Splunk (older)
and this
https://documentation.pingidentity.com/pingfederate/pf83/index.shtml#adminGuide/concept/writingAudit... (newer)
should get you pretty close depending on your version.
I also noticed the SecuityAudit2Splunk logger is commented out in the log4j2.xml, and no one seems to mention it.
Depending on where you are in your various installations, this
https://support.pingidentity.com/Configuring-PingFederate-with-Splunk (older)
and this
https://documentation.pingidentity.com/pingfederate/pf83/index.shtml#adminGuide/concept/writingAudit... (newer)
should get you pretty close depending on your version.
I also noticed the SecuityAudit2Splunk logger is commented out in the log4j2.xml, and no one seems to mention it.
Thank you for your comment and help.
We actually found out that editing the source XML on the various ping dashboards fixed most of our problems. When we opened the original dashboards that came packaged with the Ping app, none of them referenced any indexes, so we added the index for the Ping data into the XML, and many of the dashboards began to work.
Additionally, we discovered that making a copy of the savedsearches.conf file from the default app directory and putting it into the local directory, then adding the Ping indexes to the stanzas within the file fixed almost all of the rest of them.
The reason it didn't work without "index=" is that the indexe(s) for pingfederate would not have been in the "Search by default" (srchIndexesDefault) setting in the authorize.conf.
It may have been easier to allow the indexes you need to be searchable by default in the authorize.conf then this would have negated all the additional work you had to do. This can also be done on a user basis if required.