All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to configure the Splunk App for PingFederate?

jlemoine
Path Finder
‎04-28-2017 12:18 PM

I'm trying to configure the Splunk App for PingFederate, but there doesn't seem to be and step-by-step instructions out there, or any instructions really.

I've got the Ping servers stood up, configured properly, and indexed and searchable in Splunk. However, there is no data showing up in the PingFederate app. I can't find a way to sync/feed the indexes/logs into the app.

Does anyone know how to setup this app properly?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PirateJokes
Engager
‎05-15-2017 12:07 PM

Depending on where you are in your various installations, this
https://support.pingidentity.com/Configuring-PingFederate-with-Splunk (older)
and this
https://documentation.pingidentity.com/pingfederate/pf83/index.shtml#adminGuide/concept/writingAudit... (newer)
should get you pretty close depending on your version.

I also noticed the SecuityAudit2Splunk logger is commented out in the log4j2.xml, and no one seems to mention it.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

PirateJokes
Engager
‎05-15-2017 12:07 PM

Depending on where you are in your various installations, this
https://support.pingidentity.com/Configuring-PingFederate-with-Splunk (older)
and this
https://documentation.pingidentity.com/pingfederate/pf83/index.shtml#adminGuide/concept/writingAudit... (newer)
should get you pretty close depending on your version.

I also noticed the SecuityAudit2Splunk logger is commented out in the log4j2.xml, and no one seems to mention it.

0 Karma
Reply
Solved! Jump to solution

jlemoine
Path Finder
‎05-16-2017 01:31 PM

Thank you for your comment and help.

We actually found out that editing the source XML on the various ping dashboards fixed most of our problems. When we opened the original dashboards that came packaged with the Ping app, none of them referenced any indexes, so we added the index for the Ping data into the XML, and many of the dashboards began to work.

Additionally, we discovered that making a copy of the savedsearches.conf file from the default app directory and putting it into the local directory, then adding the Ping indexes to the stanzas within the file fixed almost all of the rest of them.

0 Karma
Reply
Solved! Jump to solution

TWiseOne
Path Finder
‎09-14-2017 03:37 AM

The reason it didn't work without "index=" is that the indexe(s) for pingfederate would not have been in the "Search by default" (srchIndexesDefault) setting in the authorize.conf.

It may have been easier to allow the indexes you need to be searchable by default in the authorize.conf then this would have negated all the additional work you had to do. This can also be done on a user basis if required.

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...