I am using Splunk TA for Windows infrastructure configured to consume the XML logs.
The problem is the RAW doesn't parse out the XML that is contained w/in the XML log very well (see raw output below)
It parses the "Outer" XML fine, but the "Inner" XML, not so much. (See all the lt; and gt;) > and < is just to get through this WYSIWYG editor
Anyone have good advice on how to get splunk to parse and store this properly?
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
<System>
<Provider Name='AD FS Auditing'/>
<EventID Qualifiers='0'>1200</EventID>
<Level>0</Level>
<Task>3</Task>
<Keywords>0x80a0000000000000</Keywords>
<TimeCreated SystemTime='2020-05-31T20:31:28.875321100Z'/>
<EventRecordID>27322577</EventRecordID>
<Channel>Security</Channel>
<Computer>Computer</Computer>
<Security UserID='S-1-5-21----SID'/>
</System>
<EventData>
<Data>3fb4c7cb-865b-4d89-3e02-0080010000b3</Data>
<Data>&lt;?xml version="1.0" encoding="utf-16"?&gt;
&lt;AuditBase xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="AppTokenAudit"&gt;
&lt;AuditType&gt;AppToken&lt;/AuditType&gt;
&lt;AuditResult&gt;Success&lt;/AuditResult&gt;
&lt;FailureType&gt;None&lt;/FailureType&gt;
&lt;ErrorCode&gt;N/A&lt;/ErrorCode&gt;
&lt;ContextComponents&gt;
&lt;Component xsi:type="ResourceAuditComponent"&gt;
&lt;RelyingParty&gt;RelyingParty&lt;/RelyingParty&gt;
&lt;ClaimsProvider&gt;AD AUTHORITY&lt;/ClaimsProvider&gt;
&lt;UserId&gt;UserId&lt;/UserId&gt;
&lt;/Component&gt;
&lt;Component xsi:type="AuthNAuditComponent"&gt;
&lt;PrimaryAuth&gt;http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windows&lt;/PrimaryAuth&gt;
&lt;DeviceAuth&gt;false&lt;/DeviceAuth&gt;
&lt;DeviceId&gt;N/A&lt;/DeviceId&gt;
&lt;MfaPerformed&gt;false&lt;/MfaPerformed&gt;
&lt;MfaMethod&gt;N/A&lt;/MfaMethod&gt;
&lt;TokenBindingProvidedId&gt;true&lt;/TokenBindingProvidedId&gt;
&lt;TokenBindingReferredId&gt;false&lt;/TokenBindingReferredId&gt;
&lt;SsoBindingValidationLevel&gt;TokenBoundAndValid&lt;/SsoBindingValidationLevel&gt;
&lt;/Component&gt;
&lt;Component xsi:type="ProtocolAuditComponent"&gt;
&lt;OAuthClientId&gt;N/A&lt;/OAuthClientId&gt;
&lt;OAuthGrant&gt;N/A&lt;/OAuthGrant&gt;
&lt;/Component&gt;
&lt;Component xsi:type="RequestAuditComponent"&gt;
&lt;Server&gt;Server&lt;/Server&gt;
&lt;AuthProtocol&gt;SAMLP&lt;/AuthProtocol&gt;
&lt;NetworkLocation&gt;Intranet&lt;/NetworkLocation&gt;
&lt;IpAddress&gt;IpAddress&lt;/IpAddress&gt;
&lt;ForwardedIpAddress /&gt;
&lt;ProxyIpAddress&gt;N/A&lt;/ProxyIpAddress&gt;
&lt;NetworkIpAddress&gt;N/A&lt;/NetworkIpAddress&gt;
&lt;ProxyServer&gt;N/A&lt;/ProxyServer&gt;
&lt;UserAgentString&gt;Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko&lt;/UserAgentString&gt;
&lt;Endpoint&gt;/adfs/ls/wia&lt;/Endpoint&gt;
&lt;/Component&gt;
&lt;/ContextComponents&gt;
&lt;/AuditBase&gt;</Data>
</EventData>
</Event>
Option 1:
I have an admin on demand ticket open for this right now, did you ever get resolution?
I'm running into the same problem. Was there a resolution to this?
I have the same problem. Did you find a solution?
I have the same problem.
Only on ADFS audit logs, maybe something to change on the windows server directly instead of touching splunk here?
@samsonusmc ,
Use spath command to extarct field-
...|spath
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Spath