Hi.
I am trying to get Splunk to read an "AD FS 2.0 Tracing/debug" log.
When looking at the log in the Windows eventViewer, you have to enable the viewing by right clicking on "Applications and Services logs" select View and enable "Show Analytic and Debug logs".
When looking at the eventlog properties, they show the name as "AD FS 2.0 Tracing/Debug"
I paste that name into the inputs.conf, restart the Universal forwarder, and expects the logs to show up in my Splunk instance, sadly no logs show up.
I have verified there are log entries when looking thru Winevent viewer.
I get both the security log and an Admin log from the same server.
Do I have to do something different when dealing with debug logs?
My inputs.conf file for the server:
[default]
evt_dc_name =
evt_dns_name =
[WinEventLog://AD FS 2.0/Admin]
index = wineventlog
disabled = 0
[WinEventLog://Security]
index = wineventlog
disabled = 0
[WinEventLog://AD FS 2.0 Tracing/Debug]
index = wineventlog
disabled = 0
[WinEventLog://AD FS 2.0 Tracing-Debug]
index = wineventlog
disabled = 0
Thanks for the help.
OK - My ADFS team enabled this and they are dumping to a text file. I'm picking them up with this stanza:
[monitor://C:\Windows\System32\winevt\Logs\AD FS Tracing.evtx]
I did not have to specify a sourcetype and this is what showed up:
sourcetype="WinEventLog:AD FS Tracing/Debug"
Our admins are not enabling Debug all of the time, because (as you expect, it sure generates events!)
OK - My ADFS team enabled this and they are dumping to a text file. I'm picking them up with this stanza:
[monitor://C:\Windows\System32\winevt\Logs\AD FS Tracing.evtx]
I did not have to specify a sourcetype and this is what showed up:
sourcetype="WinEventLog:AD FS Tracing/Debug"
Our admins are not enabling Debug all of the time, because (as you expect, it sure generates events!)
Hi las,
you have to understand where your application puts its logs: in WinEventLog:Security or WinEventLog:Application?
after you have to enable the relative monitoring
[WinEventLog://Application]
disabled = 0
current_only = 0
checkpointInterval = 5
index = wineventlog
or
[WinEventLog://Security]
disabled = 0
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
index = wineventlog
ignoreOlderThan = 2d
Bye.
Giuseppe
Hi Giuseppe.
The log is neither in the application, security or system logs.
When I look at the properties for ADFS 2.0 admin log it shows this:
Full Name: AD FS 2.0/Admin
This log is correctly indexed by Splunk
When I look at the debug log it show the following:
Full Name: AD FS 2.0 Tracing/Debug
This one is not indexed.
Kind regards
Lars
are there AD FS 2.0 Tracing/Debug in WinEventViewer?
Maybe Debug logging must be enabled by the application.
Bye.
Giuseppe
I think this is the same problem as stcrispan has a question on here
https://answers.splunk.com/answers/443320/how-to-collect-windows-event-logs-that-are-not-fro.html
Kind regards
Lars