To collect
PingFederate events,
configure your
PingFederate to send CEF
events to
QRadar.
The IBM
QRadar DSM for PingFederate supports events that are
collected from PingFederate with the help
of the Syslog protocol.
Procedure
- Configure PingFederate to communicate with QRadar by
following the configuration steps in the PingFederate writing audit log.
- Edit
log4j2.xml file present at the location -
<pf_install>/pingfederate/server/default/conf/log4j2.xml.
- Add the below details to
log4j2.xml.
<Socket name="SecurityAuditToCEFSyslog" host="<Qradar_host>" port="514" protocol="TCP" ignoreExceptions="false"> <PingSyslogLayout>
<PatternLayout>
<pattern>%escape{CEF}{CEF:0|Ping Identity|PingFederate|%X{pfversion}|%X{event}|%X{event}|0|rt=%d{MMM dd yyyy HH:mm:ss.SSS} duid=%X{subject} src=%X{ip} msg=%X{status} cs1Label=Target Application URL cs1=%X{app} cs2Label=Connection ID cs2=%X{connectionid} cs3Label=Protocol cs3=%X{protocol} dvchost=%X{host} cs4Label=Role cs4=%X{role} externalId=%X{trackingid} cs5Label=SP Local User ID cs5=%X{localuserid} cs6Label=Attributes cs6=%X{attributes} %n}</pattern>
</PatternLayout>
</PingSyslogLayout>
</Socket>
What to do next
Add a PingFederate - Syslog log
source in QRadar. For more
information, see Syslog log source
parameters for PingFederate.