topic How to collect "Analytic and Debug logs" from Windows Event Log? in Getting Data In

How to collect "Analytic and Debug logs" from Windows Event Log?

las — Fri, 25 Nov 2016 14:20:14 GMT

Hi.

I am trying to get Splunk to read an "AD FS 2.0 Tracing/debug" log.
When looking at the log in the Windows eventViewer, you have to enable the viewing by right clicking on "Applications and Services logs" select View and enable "Show Analytic and Debug logs".

When looking at the eventlog properties, they show the name as "AD FS 2.0 Tracing/Debug"

I paste that name into the inputs.conf, restart the Universal forwarder, and expects the logs to show up in my Splunk instance, sadly no logs show up.
I have verified there are log entries when looking thru Winevent viewer.
I get both the security log and an Admin log from the same server.

Do I have to do something different when dealing with debug logs?

My inputs.conf file for the server:

[default]
evt_dc_name =
evt_dns_name =

[WinEventLog://AD FS 2.0/Admin]
index = wineventlog
disabled = 0

[WinEventLog://Security]
index = wineventlog
disabled = 0

[WinEventLog://AD FS 2.0 Tracing/Debug]
index = wineventlog
disabled = 0

[WinEventLog://AD FS 2.0 Tracing-Debug]
index = wineventlog
disabled = 0

Thanks for the help.

Re: How to collect "Analytic and Debug logs" from Windows Event Log?

gcusello — Fri, 25 Nov 2016 14:28:39 GMT

Hi las,
you have to understand where your application puts its logs: in WinEventLog:Security or WinEventLog:Application?
after you have to enable the relative monitoring

[WinEventLog://Application]
disabled = 0
current_only = 0
checkpointInterval = 5
index = wineventlog

[WinEventLog://Security]
disabled = 0
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
index = wineventlog
ignoreOlderThan = 2d

Bye.
Giuseppe

Re: How to collect "Analytic and Debug logs" from Windows Event Log?

las — Fri, 25 Nov 2016 14:35:06 GMT

Hi Giuseppe.

The log is neither in the application, security or system logs.
When I look at the properties for ADFS 2.0 admin log it shows this:
Full Name: AD FS 2.0/Admin
This log is correctly indexed by Splunk

When I look at the debug log it show the following:
Full Name: AD FS 2.0 Tracing/Debug
This one is not indexed.

Kind regards
Lars

Re: How to collect "Analytic and Debug logs" from Windows Event Log?

gcusello — Fri, 25 Nov 2016 14:40:21 GMT

are there AD FS 2.0 Tracing/Debug in WinEventViewer?
Maybe Debug logging must be enabled by the application.
Bye.
Giuseppe

Re: How to collect "Analytic and Debug logs" from Windows Event Log?

las — Fri, 25 Nov 2016 15:04:47 GMT

I think this is the same problem as stcrispan has a question on here
https://answers.splunk.com/answers/443320/how-to-collect-windows-event-logs-that-are-not-fro.html

Kind regards
Lars

Re: How to collect "Analytic and Debug logs" from Windows Event Log?

wbfoxii — Wed, 06 Mar 2019 13:24:46 GMT

OK - My ADFS team enabled this and they are dumping to a text file. I'm picking them up with this stanza:

[monitor://C:\Windows\System32\winevt\Logs\AD FS Tracing.evtx]

I did not have to specify a sourcetype and this is what showed up:
sourcetype="WinEventLog:AD FS Tracing/Debug"

Our admins are not enabling Debug all of the time, because (as you expect, it sure generates events!)