I am having an issue on my SSO-Pingfederate App server. I have modified my PF log4j file with the recommended appender change , restarted the PF service. I now see the "splunk-audit.log" in the PF log directory but it is empty. I have been checking it every hour now and it's still at 0KB. (3hrs have passed.)
<level value="INFO" />
<appender-ref ref="SecurityAudit2File"/>
<!--
<appender-ref ref="SecurityAuditToCEFSyslog"/>
<appender-ref ref="SecurityAuditToCEFFile"/>
<appender-ref ref="SecurityAuditToMySQLDB"/>
<appender-ref ref="SecurityAuditToSQLServerDB"/>
<appender-ref ref="SecurityAuditToOracleDB"/> -->
<appender-ref ref="SecurityAudit2Splunk"/>
<level value="INFO" />
<appender-ref ref="SecurityAudit2File"/>
<!--
<appender-ref ref="SecurityAuditToSQLServerDB"/>
<appender-ref ref="SecurityAuditToOracleDB"/>
<appender-ref ref="SecurityAuditToCEFSyslog"/>
<appender-ref ref="SecurityAuditToCEFFile"/>
<appender-ref ref="SecurityAuditToMySQLDB"/> -->
<appender-ref ref="SecurityAudit2Splunk"/>
There are a few things you may need to further answer and check to see if you have un-commented out the appender earlier in the log4j*xml I put * now that they have moved to log4j2.xml in the latest (8.0.1) release.
<appender-ref ref="SecurityAudit2Splunk"/>
should go where SecurityAudit2File is on the line below.
You also have to do this for every configuration, Do a search for `` and update every config that you want this active for (*Sp, Idp, OAuth, etc.)
Example for SP Audit Logging, Should look like:
Logger name="org.sourceid.websso.profiles.sp.SpAuditLogger"
level="INFO" additivity="false" includeLocation="false">
<appender-ref ref="SecurityAudit2File" />
<appender-ref ref="SecurityAudit2Splunk"/>
*Remember to do this for any Audit logging configuration you need to see logs for.