We have the following -
[monitor://C:\Windows\System32\winevt\Logs\ADFS 2.0%4Admin.evtx]
disabled = 0
sourcetype=adfs:winevt:admin.evtx
index=<index_name>
Based on How to get AD FS 2.0 WinEventLogs into Splunk? -
It worked perfectly fine. The customer also wants the ADFS debug data and I'm not sure if it's included already... any thoughts?
Not sure whether this is right - How to collect "Analytic and Debug logs" from windows event log
They mention there - AD FS 2.0 Tracing/Debug