Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
All Apps and Add-ons
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- AD FS Audit Logs (ADFS Audit) XML issues: Why is t...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
AD FS Audit Logs (ADFS Audit) XML issues: Why is the RAW not parsing out the XML?
samsonusmc
New Member
05-31-2020
01:52 PM
I am using Splunk TA for Windows infrastructure configured to consume the XML logs.
The problem is the RAW doesn't parse out the XML that is contained w/in the XML log very well (see raw output below)
It parses the "Outer" XML fine, but the "Inner" XML, not so much. (See all the lt; and gt;) > and < is just to get through this WYSIWYG editor
Anyone have good advice on how to get splunk to parse and store this properly?
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
<System>
<Provider Name='AD FS Auditing'/>
<EventID Qualifiers='0'>1200</EventID>
<Level>0</Level>
<Task>3</Task>
<Keywords>0x80a0000000000000</Keywords>
<TimeCreated SystemTime='2020-05-31T20:31:28.875321100Z'/>
<EventRecordID>27322577</EventRecordID>
<Channel>Security</Channel>
<Computer>Computer</Computer>
<Security UserID='S-1-5-21----SID'/>
</System>
<EventData>
<Data>3fb4c7cb-865b-4d89-3e02-0080010000b3</Data>
<Data>&lt;?xml version="1.0" encoding="utf-16"?&gt;
&lt;AuditBase xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="AppTokenAudit"&gt;
&lt;AuditType&gt;AppToken&lt;/AuditType&gt;
&lt;AuditResult&gt;Success&lt;/AuditResult&gt;
&lt;FailureType&gt;None&lt;/FailureType&gt;
&lt;ErrorCode&gt;N/A&lt;/ErrorCode&gt;
&lt;ContextComponents&gt;
&lt;Component xsi:type="ResourceAuditComponent"&gt;
&lt;RelyingParty&gt;RelyingParty&lt;/RelyingParty&gt;
&lt;ClaimsProvider&gt;AD AUTHORITY&lt;/ClaimsProvider&gt;
&lt;UserId&gt;UserId&lt;/UserId&gt;
&lt;/Component&gt;
&lt;Component xsi:type="AuthNAuditComponent"&gt;
&lt;PrimaryAuth&gt;http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windows&lt;/PrimaryAuth&gt;
&lt;DeviceAuth&gt;false&lt;/DeviceAuth&gt;
&lt;DeviceId&gt;N/A&lt;/DeviceId&gt;
&lt;MfaPerformed&gt;false&lt;/MfaPerformed&gt;
&lt;MfaMethod&gt;N/A&lt;/MfaMethod&gt;
&lt;TokenBindingProvidedId&gt;true&lt;/TokenBindingProvidedId&gt;
&lt;TokenBindingReferredId&gt;false&lt;/TokenBindingReferredId&gt;
&lt;SsoBindingValidationLevel&gt;TokenBoundAndValid&lt;/SsoBindingValidationLevel&gt;
&lt;/Component&gt;
&lt;Component xsi:type="ProtocolAuditComponent"&gt;
&lt;OAuthClientId&gt;N/A&lt;/OAuthClientId&gt;
&lt;OAuthGrant&gt;N/A&lt;/OAuthGrant&gt;
&lt;/Component&gt;
&lt;Component xsi:type="RequestAuditComponent"&gt;
&lt;Server&gt;Server&lt;/Server&gt;
&lt;AuthProtocol&gt;SAMLP&lt;/AuthProtocol&gt;
&lt;NetworkLocation&gt;Intranet&lt;/NetworkLocation&gt;
&lt;IpAddress&gt;IpAddress&lt;/IpAddress&gt;
&lt;ForwardedIpAddress /&gt;
&lt;ProxyIpAddress&gt;N/A&lt;/ProxyIpAddress&gt;
&lt;NetworkIpAddress&gt;N/A&lt;/NetworkIpAddress&gt;
&lt;ProxyServer&gt;N/A&lt;/ProxyServer&gt;
&lt;UserAgentString&gt;Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko&lt;/UserAgentString&gt;
&lt;Endpoint&gt;/adfs/ls/wia&lt;/Endpoint&gt;
&lt;/Component&gt;
&lt;/ContextComponents&gt;
&lt;/AuditBase&gt;</Data>
</EventData>
</Event>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
_joe
Communicator
06-30-2021
06:00 AM
Option 1:
# Would be good to apply only to the ADFS host if possible
# props.conf
[source::adfs-host]
REPORT-windows_broken_json_1200 = windows_broken_json
# transforms.conf
# props.conf
[source::adfs-host]
REPORT-windows_broken_json_1200 = windows_broken_json
# transforms.conf
[windows_broken_json]
FORMAT = $1::$2
REGEX = <(?!(?:headerName|headerValue))([^&/\=]+)>([^&]+)<
Option 2:
# Props.conf
[source::adfs-host]
You probably also want to add a lookup with definitions, etc, for these events since they aren't in the Splunk Windows TA.
Option 2:
# Props.conf
[source::adfs-host]
EXTRACT-windows_activity_id = \<\/System\>\<EventData\>\<Data\>(?<activity_id>[a-fA-F0-9\-]+)\<\/Data\>
EXTRACT-windows_adfs_src = <IpAddress>(?<src>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})</IpAddress>
EXTRACT-windows_adfs_user_id = <UserId>(?<User_ID>[^&]+)</UserId>
EXTRACT-windows_adfs_Target_User = <UserId>([A-Za-z]{1,5}[\/\\]){0,1}(?<Target_User_Name>[^&]+)</UserId>
EXTRACT-windows_adfs_AuditResult = <AuditResult>(?<AuditResult>[A-Za-z]+)</AuditResult>
You probably also want to add a lookup with definitions, etc, for these events since they aren't in the Splunk Windows TA.
Could also update your windows_activity_id to the following if you have 40x events which change the order around...
EXTRACT-windows_activity_id_1 = </System><EventData><Data>(?<instance_id>[a-f0-9]{2,20}-[a-f0-9]{2,20}-[a-f0-9]{2,20}-[a-f0-9]{2,20}-[a-f0-9]{2,20})</Data><Data>(?<activity_id>[a-f0-9]{2,20}-[a-f0-9]{2,20}-[a-f0-9]{2,20}-[a-f0-9]{2,20}-[a-f0-9]{2,20})</Data>
EXTRACT-windows_activity_id_2 = </System><EventData><Data>(?<activity_id>[a-f0-9]{2,20}-[a-f0-9]{2,20}-[a-f0-9]{2,20}-[a-f0-9]{2,20}-[a-f0-9]{2,20})</Data>
I would also love to know if there is a comprehensive CIM-compliant app for Windows ADFS logs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lbruhns
Explorer
04-09-2021
01:06 PM
I have an admin on demand ticket open for this right now, did you ever get resolution?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
JonD
New Member
04-12-2021
01:37 PM
I'm running into the same problem. Was there a resolution to this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ole
Engager
01-24-2023
02:29 AM
I have the same problem. Did you find a solution?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
493669
Super Champion
05-31-2020
07:24 PM
@samsonusmc ,
Use spath command to extarct field-
...|spath
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Spath
Get Updates on the Splunk Community!
Introducing the 2024 SplunkTrust!
Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!
The ...
Introducing the 2024 Splunk MVPs!
We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...
Splunk Custom Visualizations App End of Life
The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...
