- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- How to configure the Splunk App for PingFederate?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm trying to configure the Splunk App for PingFederate, but there doesn't seem to be and step-by-step instructions out there, or any instructions really.
I've got the Ping servers stood up, configured properly, and indexed and searchable in Splunk. However, there is no data showing up in the PingFederate app. I can't find a way to sync/feed the indexes/logs into the app.
Does anyone know how to setup this app properly?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Depending on where you are in your various installations, this
https://support.pingidentity.com/Configuring-PingFederate-with-Splunk (older)
and this
https://documentation.pingidentity.com/pingfederate/pf83/index.shtml#adminGuide/concept/writingAudit... (newer)
should get you pretty close depending on your version.
I also noticed the SecuityAudit2Splunk logger is commented out in the log4j2.xml, and no one seems to mention it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Depending on where you are in your various installations, this
https://support.pingidentity.com/Configuring-PingFederate-with-Splunk (older)
and this
https://documentation.pingidentity.com/pingfederate/pf83/index.shtml#adminGuide/concept/writingAudit... (newer)
should get you pretty close depending on your version.
I also noticed the SecuityAudit2Splunk logger is commented out in the log4j2.xml, and no one seems to mention it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your comment and help.
We actually found out that editing the source XML on the various ping dashboards fixed most of our problems. When we opened the original dashboards that came packaged with the Ping app, none of them referenced any indexes, so we added the index for the Ping data into the XML, and many of the dashboards began to work.
Additionally, we discovered that making a copy of the savedsearches.conf file from the default app directory and putting it into the local directory, then adding the Ping indexes to the stanzas within the file fixed almost all of the rest of them.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The reason it didn't work without "index=" is that the indexe(s) for pingfederate would not have been in the "Search by default" (srchIndexesDefault) setting in the authorize.conf.
It may have been easier to allow the indexes you need to be searchable by default in the authorize.conf then this would have negated all the additional work you had to do. This can also be done on a user basis if required.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
