Hello Everyone!
A few of the last posts are related to setting up SSO with ADFS.
What we ran into was the need to pull in the Administrator logs from ADFS.
We weren't sure the best way to do this, since ADFS Admin logs are logged to a file, typically named something like: %SystemRoot%\System32\Winevt\Logs\AD FS%4Admin.evtx
Going through the typical practices of checking props to make sure the file is parsed properly we found that the formatting made things difficult.
We found that there was actually a REALLY simple way to get the data in. Since we were already using the Splunk_TA_windows app, we had basically all the props for WinEventLog already in the system, and since WinnEventLog is natively processed adding an input for this file was easy.
THE ANSWER:
[WinEventLog://AD FS/Admin]
index = windows_events
disabled = 1
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=false
This simple addition to inputs.conf and we were able to easily ingest the ADFS administrator logs.
If this wasn't Windows Event Logs then indexing the .evtx files is much more tricky and there are limitations on indexing .evtx files. So make sure you plan your deployment well.
That's all for today! Just a tip on getting ADFS logs into you system.
Hope it helps!
Cheers!
-Todd