All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get AD FS 2.0 WinEventLogs into Splunk?

jdaves
Path Finder
‎07-21-2014 12:37 PM

Hello Splunk Answers,

Is there a way to retrieve the "AD FS 2.0" event chain from Windows Event Logs by using the standard WinEventLog stanza as found in the inputs.conf of the Splunk_TA_windows? The logs are not stored in the base "Application" events, so they don't come in even though we're monitoring the Application logs already. I want to try and do this without the Active Directory app if possible, but if that is the best way then please let me know. The servers in my environment running AD FS are not domain controllers - they are separate servers.

I tried adding the following stanza to inputs.conf on one of the servers in my environment running AD FS 2.0:

[WinEventLog://AD FS 2.0]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5

I haven't seen any new ADFS logs come in from this server after bouncing the Universal Forwarder on it. The name of the log path in the Windows Event Viewer is "AD FS 2.0" with one log file within - "Admin". I also tried the same stanza as above, but with "WinEventLog://AD FS 2.0/Admin" and it still doesn't work. Am I missing something? I couldn't find anything online for people asking about getting AD FS into Splunk. Thank you!!

Reply
1 Solution
Solved! Jump to solution
Solution

jdaves
Path Finder
‎07-21-2014 12:57 PM

Ha... looks like patience is key. The proper stanza name is as follows:

[WinEventLog://AD FS 2.0/Admin]

Just had to wait a few minutes! At least this will hopefully prove useful to someone in the future!

View solution in original post

Reply
Solved! Jump to solution

wrangler2x
Motivator
‎11-05-2018 10:43 AM

These are all by default set as shown, so they can be omitted:

disabled = 0

start_from = oldest

current_only = 0

Don't know why the checkpointInterval is being changed, but the default is =0

Does anyone know if the path is //AD FS/Admin or //AD FS 3.0/Admin in AD FS 3.0?

0 Karma
Reply
Solved! Jump to solution

wrangler2x
Motivator
‎11-05-2018 12:55 PM

Our Windows admins say it is [WinEventLog://AD FS/Admin] in 3.0

0 Karma
Reply
Solved! Jump to solution

hvandenb
Path Finder
‎02-17-2015 04:24 PM

I think this has changed in the new version of AD FS:

[WinEventLog://AD FS/Admin]
Reply
Solved! Jump to solution

ccsfdave
Builder
‎06-03-2016 12:43 PM

@hvandenb

Is
[WinEventLog://AD FS/Admin]
used for ADFS v3.0?

I added:
[WinEventLog://AD FS/Admin]
disabled = 0
index = msadevt

But no luck

0 Karma
Reply
Solved! Jump to solution

ccsfdave
Builder
‎06-03-2016 12:51 PM

nevermind, needed to bounce the service.

0 Karma
Reply
Solved! Jump to solution

cboillot
Contributor
‎11-02-2022 11:40 AM

Did you bounce Splunk or AD FS?

0 Karma
Reply
Solved! Jump to solution
Solution

jdaves
Path Finder
‎07-21-2014 12:57 PM

Ha... looks like patience is key. The proper stanza name is as follows:

[WinEventLog://AD FS 2.0/Admin]

Just had to wait a few minutes! At least this will hopefully prove useful to someone in the future!

Reply
Solved! Jump to solution

marellasunil
Communicator
‎06-11-2015 05:42 AM

[WinEventLog://AD FS 2.0/Admin]
Is working for me.

Thanks

Reply
Solved! Jump to solution

adobrzeniecki
Path Finder
‎05-27-2021 01:56 PM

Is this still good in 2021??

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...