I wish to set up PingFederate to log to Splunk.
Ping describes it nicely here https://ping.force.com/Support/Configuring-PingFederate-with-Splunk but the referenced sections to be uncommented can't be found in my PF instance -- it may have been removed before my time as part of a clean-up.
What should the contents of the log4j2.xml be?
I'm using PingFederate 8.4.1.
Some additional information on configuring PingFederate's log4j2.xml is available here: https://support.pingidentity.com/s/document-item?bundleId=pingfederate-93&topicId=qst1564002981075.html
If you do not have a SecurityAudit2Splunk appender defined in your log4j2.xml, it should look something like:
<RollingFile name="SecurityAudit2Splunk" fileName="${sys:pf.log.dir}/splunk-audit.log"
filePattern="${sys:pf.log.dir}/splunk-audit.%d{yyyy-MM-dd}.log"
ignoreExceptions="false">
<PatternLayout>
<pattern>%d trackingid="%X{trackingid}" event=%X{event} subject="%X{subject}" ip=%X{ip} app=%X{app} connectionid=%X{connectionid} protocol=%X{protocol} pfhost=%X{host} role=%X{role} status=%X{status} adapterid=%X{adapterid} description="%X{description}" responsetime=%X{responsetime} %n</pattern>
</PatternLayout>
<Policies>
<TimeBasedTriggeringPolicy />
</Policies>
</RollingFile>
If you want to see an original log4j2.xml configuration file, you can always download PingFederate again to compare: https://www.pingidentity.com/en/resources/downloads/pingfederate.html
Also note that there is a PingFederate App for Splunk that can be a useful starting point for reporting: https://splunkbase.splunk.com/app/976/