Solved: Re: How to collect "Analytic and Debug logs" from ...

las · ‎11-25-2016

Hi.

I am trying to get Splunk to read an "AD FS 2.0 Tracing/debug" log.
When looking at the log in the Windows eventViewer, you have to enable the viewing by right clicking on "Applications and Services logs" select View and enable "Show Analytic and Debug logs".

When looking at the eventlog properties, they show the name as "AD FS 2.0 Tracing/Debug"

I paste that name into the inputs.conf, restart the Universal forwarder, and expects the logs to show up in my Splunk instance, sadly no logs show up.
I have verified there are log entries when looking thru Winevent viewer.
I get both the security log and an Admin log from the same server.

Do I have to do something different when dealing with debug logs?

My inputs.conf file for the server:

[default]
evt_dc_name =
evt_dns_name =

[WinEventLog://AD FS 2.0/Admin]
index = wineventlog
disabled = 0

[WinEventLog://Security]
index = wineventlog
disabled = 0

[WinEventLog://AD FS 2.0 Tracing/Debug]
index = wineventlog
disabled = 0

[WinEventLog://AD FS 2.0 Tracing-Debug]
index = wineventlog
disabled = 0

Thanks for the help.

wbfoxii · ‎03-06-2019

OK - My ADFS team enabled this and they are dumping to a text file. I'm picking them up with this stanza:

[monitor://C:\Windows\System32\winevt\Logs\AD FS Tracing.evtx]

I did not have to specify a sourcetype and this is what showed up:
sourcetype="WinEventLog:AD FS Tracing/Debug"

Our admins are not enabling Debug all of the time, because (as you expect, it sure generates events!)

View solution in original post

wbfoxii · ‎03-06-2019

OK - My ADFS team enabled this and they are dumping to a text file. I'm picking them up with this stanza:

[monitor://C:\Windows\System32\winevt\Logs\AD FS Tracing.evtx]

I did not have to specify a sourcetype and this is what showed up:
sourcetype="WinEventLog:AD FS Tracing/Debug"

Our admins are not enabling Debug all of the time, because (as you expect, it sure generates events!)

gcusello · ‎11-25-2016

Hi las,
you have to understand where your application puts its logs: in WinEventLog:Security or WinEventLog:Application?
after you have to enable the relative monitoring

[WinEventLog://Application]
disabled = 0
current_only = 0
checkpointInterval = 5
index = wineventlog

or

[WinEventLog://Security]
disabled = 0
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
index = wineventlog
ignoreOlderThan = 2d

Bye.
Giuseppe

las · ‎11-25-2016

Hi Giuseppe.

The log is neither in the application, security or system logs.
When I look at the properties for ADFS 2.0 admin log it shows this:
Full Name: AD FS 2.0/Admin
This log is correctly indexed by Splunk

When I look at the debug log it show the following:
Full Name: AD FS 2.0 Tracing/Debug
This one is not indexed.

Kind regards
Lars

gcusello · ‎11-25-2016

are there AD FS 2.0 Tracing/Debug in WinEventViewer?
Maybe Debug logging must be enabled by the application.
Bye.
Giuseppe

las · ‎11-25-2016

I think this is the same problem as stcrispan has a question on here
https://answers.splunk.com/answers/443320/how-to-collect-windows-event-logs-that-are-not-fro.html

Kind regards
Lars

How to collect "Analytic and Debug logs" from Windows Event Log?

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)