Search
  • Todd Waller

Splunk - Adding ADFS Logs from Windows Machines

Hello Everyone!


A few of the last posts are related to setting up SSO with ADFS.


What we ran into was the need to pull in the Administrator logs from ADFS.


We weren't sure the best way to do this, since ADFS Admin logs are logged to a file, typically named something like: %SystemRoot%\System32\Winevt\Logs\AD FS%4Admin.evtx


Going through the typical practices of checking props to make sure the file is parsed properly we found that the formatting made things difficult.


We found that there was actually a REALLY simple way to get the data in. Since we were already using the Splunk_TA_windows app, we had basically all the props for WinEventLog already in the system, and since WinnEventLog is natively processed adding an input for this file was easy.


THE ANSWER:

[WinEventLog://AD FS/Admin]

index = windows_events

disabled = 1

start_from = oldest

current_only = 0

checkpointInterval = 5

renderXml=false


This simple addition to inputs.conf and we were able to easily ingest the ADFS administrator logs.


If this wasn't Windows Event Logs then indexing the .evtx files is much more tricky and there are limitations on indexing .evtx files. So make sure you plan your deployment well.


That's all for today! Just a tip on getting ADFS logs into you system.


Hope it helps!


Cheers!


-Todd


953 views0 comments

Recent Posts

See All

How do I learn Splunk administration?

Had an old coworker hit me up a week ago. He took a job as a SOC analyst where part of his job is going to be supporting Splunk. He's a smart guy but Splunk is more complex than it looks. Given I've a