PingOne Advanced Identity Cloud

Export log events to an external monitoring tool

You can export Advanced Identity Cloud log event data to an external monitoring tool, a process sometimes known as push logging. This lets you monitor certain events in near real time and troubleshoot issues using your preferred SIEM or event monitoring solution, such as an OpenTelemetry-compatible SIEM or Splunk.

Advanced Identity Cloud supports streaming log event data in OpenTelemetry Protocol (OTLP) and Splunk formats.

To configure a log event exporter, use REST API calls to define the telemetry format, the log sources to export, and the destination monitoring tool. Advanced Identity Cloud’s log event exporter service then retrieves the logs and sends them to your chosen monitoring tool in near real time.

log events push
An Advanced Identity Cloud tenant environment can have only one log event exporter. This means you can only send logs to one external monitoring tool or SIEM.

Use cases

Exporting Advanced Identity Cloud log events to an external monitoring tool has many use cases, including:

  • Debug journeys while viewing real-time events and errors.

  • Monitor the performance of authentications during journey creation.

  • Collect events from Advanced Identity Cloud and enrich them with data from other sources.

  • Detect and respond to critical events. For example, a sudden spike in registrations might mean an effective marketing program or suspicious activity.

  • Set alerts on authentication and registration requests from particular regions.

  • Monitor the improper use of APIs.

  • Monitor user activity, success/failure rates, and password reset requests.

Supported export formats

The log event exporter service supports the following export formats:

Set up a log event exporter

  1. Determine the Advanced Identity Cloud log sources to export.

  2. Configure your destination monitoring service to receive log events from Advanced Identity Cloud.

    Refer to your monitoring tool vendor documentation for configuration details.

  3. If you’re exporting log events to Splunk:

    1. Configure HTTP Event Collector (HEC) .

      You must disable indexer acknowledgment for the HEC token. The Advanced Identity Cloud log event exporter isn’t compatible with this feature.

    2. Make a note of the HEC token. You’ll need this when you configure the log event export in Advanced Identity Cloud.

  4. Configure the log event export in Advanced Identity Cloud using REST. Learn more in Manage log event exporters using the API.

  5. Verify that the log events are arriving at the external monitoring tool correctly.