Solved: Re: How to get AD FS 2.0 WinEventLogs into Splunk?

jdaves · ‎07-21-2014

Hello Splunk Answers,

Is there a way to retrieve the "AD FS 2.0" event chain from Windows Event Logs by using the standard WinEventLog stanza as found in the inputs.conf of the Splunk_TA_windows? The logs are not stored in the base "Application" events, so they don't come in even though we're monitoring the Application logs already. I want to try and do this without the Active Directory app if possible, but if that is the best way then please let me know. The servers in my environment running AD FS are not domain controllers - they are separate servers.

I tried adding the following stanza to inputs.conf on one of the servers in my environment running AD FS 2.0:

[WinEventLog://AD FS 2.0]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5

I haven't seen any new ADFS logs come in from this server after bouncing the Universal Forwarder on it. The name of the log path in the Windows Event Viewer is "AD FS 2.0" with one log file within - "Admin". I also tried the same stanza as above, but with "WinEventLog://AD FS 2.0/Admin" and it still doesn't work. Am I missing something? I couldn't find anything online for people asking about getting AD FS into Splunk. Thank you!!

jdaves · ‎07-21-2014

Ha... looks like patience is key. The proper stanza name is as follows:

[WinEventLog://AD FS 2.0/Admin]

Just had to wait a few minutes! At least this will hopefully prove useful to someone in the future!

View solution in original post

wrangler2x · ‎11-05-2018

These are all by default set as shown, so they can be omitted:

disabled = 0

start_from = oldest

current_only = 0

Don't know why the checkpointInterval is being changed, but the default is =0

Does anyone know if the path is //AD FS/Admin or //AD FS 3.0/Admin in AD FS 3.0?

wrangler2x · ‎11-05-2018

Our Windows admins say it is [WinEventLog://AD FS/Admin] in 3.0

hvandenb · ‎02-17-2015

I think this has changed in the new version of AD FS:

[WinEventLog://AD FS/Admin]

ccsfdave · ‎06-03-2016

@hvandenb

Is
[WinEventLog://AD FS/Admin]
used for ADFS v3.0?

I added:
[WinEventLog://AD FS/Admin] disabled = 0 index = msadevt

But no luck

ccsfdave · ‎06-03-2016

nevermind, needed to bounce the service.

cboillot · ‎11-02-2022

Did you bounce Splunk or AD FS?

jdaves · ‎07-21-2014

Ha... looks like patience is key. The proper stanza name is as follows:

[WinEventLog://AD FS 2.0/Admin]

Just had to wait a few minutes! At least this will hopefully prove useful to someone in the future!

marellasunil · ‎06-11-2015

[WinEventLog://AD FS 2.0/Admin]
Is working for me.

Thanks

adobrzeniecki · ‎05-27-2021

Is this still good in 2021??

How to get AD FS 2.0 WinEventLogs into Splunk?

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk