All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk App for PingFederate: I can can see splunk-audit.log in the PF log directory, but why is it empty?

sbrice36
Explorer
‎04-30-2015 09:56 AM

I am having an issue on my SSO-Pingfederate App server. I have modified my PF log4j file with the recommended appender change , restarted the PF service. I now see the "splunk-audit.log" in the PF log directory but it is empty. I have been checking it every hour now and it's still at 0KB. (3hrs have passed.)

 <level value="INFO" />
 <appender-ref ref="SecurityAudit2File"/>
 <!--
     <appender-ref ref="SecurityAuditToCEFSyslog"/>
     <appender-ref ref="SecurityAuditToCEFFile"/>
     <appender-ref ref="SecurityAuditToMySQLDB"/>
     <appender-ref ref="SecurityAuditToSQLServerDB"/>
     <appender-ref ref="SecurityAuditToOracleDB"/> -->
     <appender-ref ref="SecurityAudit2Splunk"/>





 <level value="INFO" />
 <appender-ref ref="SecurityAudit2File"/>
 <!--
     <appender-ref ref="SecurityAuditToSQLServerDB"/>
     <appender-ref ref="SecurityAuditToOracleDB"/>
     <appender-ref ref="SecurityAuditToCEFSyslog"/>
     <appender-ref ref="SecurityAuditToCEFFile"/>
     <appender-ref ref="SecurityAuditToMySQLDB"/> -->
     <appender-ref ref="SecurityAudit2Splunk"/>
0 Karma
Reply

scruggsster
New Member
‎08-13-2015 01:28 PM

There are a few things you may need to further answer and check to see if you have un-commented out the appender earlier in the log4j*xml I put * now that they have moved to log4j2.xml in the latest (8.0.1) release.

<appender-ref ref="SecurityAudit2Splunk"/>

should go where SecurityAudit2File is on the line below.

You also have to do this for every configuration, Do a search for `` and update every config that you want this active for (*Sp, Idp, OAuth, etc.)

Example for SP Audit Logging, Should look like:

Logger name="org.sourceid.websso.profiles.sp.SpAuditLogger"
            level="INFO" additivity="false" includeLocation="false">
            <appender-ref ref="SecurityAudit2File" />
            <appender-ref ref="SecurityAudit2Splunk"/>

*Remember to do this for any Audit logging configuration you need to see logs for.

0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...