Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
All Apps and Add-ons
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- AD FS Audit Logs (ADFS Audit) XML issues: Why is t...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
AD FS Audit Logs (ADFS Audit) XML issues: Why is the RAW not parsing out the XML?
samsonusmc
New Member
05-31-2020
01:52 PM
I am using Splunk TA for Windows infrastructure configured to consume the XML logs.
The problem is the RAW doesn't parse out the XML that is contained w/in the XML log very well (see raw output below)
It parses the "Outer" XML fine, but the "Inner" XML, not so much. (See all the lt; and gt;) > and < is just to get through this WYSIWYG editor
Anyone have good advice on how to get splunk to parse and store this properly?
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
<System>
<Provider Name='AD FS Auditing'/>
<EventID Qualifiers='0'>1200</EventID>
<Level>0</Level>
<Task>3</Task>
<Keywords>0x80a0000000000000</Keywords>
<TimeCreated SystemTime='2020-05-31T20:31:28.875321100Z'/>
<EventRecordID>27322577</EventRecordID>
<Channel>Security</Channel>
<Computer>Computer</Computer>
<Security UserID='S-1-5-21----SID'/>
</System>
<EventData>
<Data>3fb4c7cb-865b-4d89-3e02-0080010000b3</Data>
<Data>&lt;?xml version="1.0" encoding="utf-16"?&gt;
&lt;AuditBase xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="AppTokenAudit"&gt;
&lt;AuditType&gt;AppToken&lt;/AuditType&gt;
&lt;AuditResult&gt;Success&lt;/AuditResult&gt;
&lt;FailureType&gt;None&lt;/FailureType&gt;
&lt;ErrorCode&gt;N/A&lt;/ErrorCode&gt;
&lt;ContextComponents&gt;
&lt;Component xsi:type="ResourceAuditComponent"&gt;
&lt;RelyingParty&gt;RelyingParty&lt;/RelyingParty&gt;
&lt;ClaimsProvider&gt;AD AUTHORITY&lt;/ClaimsProvider&gt;
&lt;UserId&gt;UserId&lt;/UserId&gt;
&lt;/Component&gt;
&lt;Component xsi:type="AuthNAuditComponent"&gt;
&lt;PrimaryAuth&gt;http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windows&lt;/PrimaryAuth&gt;
&lt;DeviceAuth&gt;false&lt;/DeviceAuth&gt;
&lt;DeviceId&gt;N/A&lt;/DeviceId&gt;
&lt;MfaPerformed&gt;false&lt;/MfaPerformed&gt;
&lt;MfaMethod&gt;N/A&lt;/MfaMethod&gt;
&lt;TokenBindingProvidedId&gt;true&lt;/TokenBindingProvidedId&gt;
&lt;TokenBindingReferredId&gt;false&lt;/TokenBindingReferredId&gt;
&lt;SsoBindingValidationLevel&gt;TokenBoundAndValid&lt;/SsoBindingValidationLevel&gt;
&lt;/Component&gt;
&lt;Component xsi:type="ProtocolAuditComponent"&gt;
&lt;OAuthClientId&gt;N/A&lt;/OAuthClientId&gt;
&lt;OAuthGrant&gt;N/A&lt;/OAuthGrant&gt;
&lt;/Component&gt;
&lt;Component xsi:type="RequestAuditComponent"&gt;
&lt;Server&gt;Server&lt;/Server&gt;
&lt;AuthProtocol&gt;SAMLP&lt;/AuthProtocol&gt;
&lt;NetworkLocation&gt;Intranet&lt;/NetworkLocation&gt;
&lt;IpAddress&gt;IpAddress&lt;/IpAddress&gt;
&lt;ForwardedIpAddress /&gt;
&lt;ProxyIpAddress&gt;N/A&lt;/ProxyIpAddress&gt;
&lt;NetworkIpAddress&gt;N/A&lt;/NetworkIpAddress&gt;
&lt;ProxyServer&gt;N/A&lt;/ProxyServer&gt;
&lt;UserAgentString&gt;Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko&lt;/UserAgentString&gt;
&lt;Endpoint&gt;/adfs/ls/wia&lt;/Endpoint&gt;
&lt;/Component&gt;
&lt;/ContextComponents&gt;
&lt;/AuditBase&gt;</Data>
</EventData>
</Event>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
_joe
Communicator
06-30-2021
06:00 AM
Option 1:
# Would be good to apply only to the ADFS host if possible
# props.conf
[source::adfs-host]
REPORT-windows_broken_json_1200 = windows_broken_json
# transforms.conf
# props.conf
[source::adfs-host]
REPORT-windows_broken_json_1200 = windows_broken_json
# transforms.conf
[windows_broken_json]
FORMAT = $1::$2
REGEX = <(?!(?:headerName|headerValue))([^&/\=]+)>([^&]+)<
Option 2:
# Props.conf
[source::adfs-host]
You probably also want to add a lookup with definitions, etc, for these events since they aren't in the Splunk Windows TA.
Option 2:
# Props.conf
[source::adfs-host]
EXTRACT-windows_activity_id = \<\/System\>\<EventData\>\<Data\>(?<activity_id>[a-fA-F0-9\-]+)\<\/Data\>
EXTRACT-windows_adfs_src = <IpAddress>(?<src>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})</IpAddress>
EXTRACT-windows_adfs_user_id = <UserId>(?<User_ID>[^&]+)</UserId>
EXTRACT-windows_adfs_Target_User = <UserId>([A-Za-z]{1,5}[\/\\]){0,1}(?<Target_User_Name>[^&]+)</UserId>
EXTRACT-windows_adfs_AuditResult = <AuditResult>(?<AuditResult>[A-Za-z]+)</AuditResult>
You probably also want to add a lookup with definitions, etc, for these events since they aren't in the Splunk Windows TA.
Could also update your windows_activity_id to the following if you have 40x events which change the order around...
EXTRACT-windows_activity_id_1 = </System><EventData><Data>(?<instance_id>[a-f0-9]{2,20}-[a-f0-9]{2,20}-[a-f0-9]{2,20}-[a-f0-9]{2,20}-[a-f0-9]{2,20})</Data><Data>(?<activity_id>[a-f0-9]{2,20}-[a-f0-9]{2,20}-[a-f0-9]{2,20}-[a-f0-9]{2,20}-[a-f0-9]{2,20})</Data>
EXTRACT-windows_activity_id_2 = </System><EventData><Data>(?<activity_id>[a-f0-9]{2,20}-[a-f0-9]{2,20}-[a-f0-9]{2,20}-[a-f0-9]{2,20}-[a-f0-9]{2,20})</Data>
I would also love to know if there is a comprehensive CIM-compliant app for Windows ADFS logs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lbruhns
Explorer
04-09-2021
01:06 PM
I have an admin on demand ticket open for this right now, did you ever get resolution?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
JonD
New Member
04-12-2021
01:37 PM
I'm running into the same problem. Was there a resolution to this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ole
Engager
01-24-2023
02:29 AM
I have the same problem. Did you find a solution?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
493669
Super Champion
05-31-2020
07:24 PM
@samsonusmc ,
Use spath command to extarct field-
...|spath
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Spath
Get Updates on the Splunk Community!
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
The Transformative Power of AI and ML in Enhancing Observability
In the realm of IT operations, the ...
.conf24 | Registration Open!
Hello, hello! I come bearing good news: Registration for .conf24 is now open!
conf is Splunk’s rad annual ...
ICYMI - Check out the latest releases of Splunk Edge Processor
Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.
HEC Receiver authorization ...
