All Apps and Add-ons

How to configure the Splunk App for PingFederate?

jlemoine
Path Finder

I'm trying to configure the Splunk App for PingFederate, but there doesn't seem to be and step-by-step instructions out there, or any instructions really.

I've got the Ping servers stood up, configured properly, and indexed and searchable in Splunk. However, there is no data showing up in the PingFederate app. I can't find a way to sync/feed the indexes/logs into the app.

Does anyone know how to setup this app properly?

0 Karma
1 Solution

PirateJokes
Engager

Depending on where you are in your various installations, this
https://support.pingidentity.com/Configuring-PingFederate-with-Splunk (older)
and this
https://documentation.pingidentity.com/pingfederate/pf83/index.shtml#adminGuide/concept/writingAudit... (newer)
should get you pretty close depending on your version.

I also noticed the SecuityAudit2Splunk logger is commented out in the log4j2.xml, and no one seems to mention it.

View solution in original post

0 Karma

PirateJokes
Engager

Depending on where you are in your various installations, this
https://support.pingidentity.com/Configuring-PingFederate-with-Splunk (older)
and this
https://documentation.pingidentity.com/pingfederate/pf83/index.shtml#adminGuide/concept/writingAudit... (newer)
should get you pretty close depending on your version.

I also noticed the SecuityAudit2Splunk logger is commented out in the log4j2.xml, and no one seems to mention it.

0 Karma

jlemoine
Path Finder

Thank you for your comment and help.

We actually found out that editing the source XML on the various ping dashboards fixed most of our problems. When we opened the original dashboards that came packaged with the Ping app, none of them referenced any indexes, so we added the index for the Ping data into the XML, and many of the dashboards began to work.

Additionally, we discovered that making a copy of the savedsearches.conf file from the default app directory and putting it into the local directory, then adding the Ping indexes to the stanzas within the file fixed almost all of the rest of them.

0 Karma

TWiseOne
Path Finder

The reason it didn't work without "index=" is that the indexe(s) for pingfederate would not have been in the "Search by default" (srchIndexesDefault) setting in the authorize.conf.

It may have been easier to allow the indexes you need to be searchable by default in the authorize.conf then this would have negated all the additional work you had to do. This can also be done on a user basis if required.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...