none
ADFS 3.0 web server logs RRS feed

  • Question

  • Does ADFS 3.0 keep web server logs somewhere seperately from ADFS application logs? If so, where? Since it doesn't depend on IIS, I can't find it there...
    Wednesday, August 10, 2016 4:26 PM

Answers

  • The only logs I am aware of are the event logs for ADFS.

    Wednesday, August 10, 2016 7:00 PM
    Moderator
  • Every access generates logs as long as you enabled the audit. So the information is still there, just in a different format.

    Just an example:

    Get-WinEvent -FilterHashtable @{LogName="Security";ID=403} | %{ $_.Properties.Value -join " " }

    And here is the example of output:

    00000000-0000-0000-9758-0080000000b3 2016-08-11 15:32:58 10.0.0.7 GET /adfs/Proxy/GetConfiguration - 443 10.0.0.6 - 0 - - - False -
    00000000-0000-0000-662e-0080000000e1 2016-08-11 15:32:36 10.0.0.7 GET /adfs/Proxy/webapplicationproxy/store ?api-version=1 443 10.0.0.6 - 0 - - - False -
    00000000-0000-0000-652e-0080000000e1 2016-08-11 15:32:06 10.0.0.7 GET /adfs/Proxy/webapplicationproxy/store ?api-version=1 443 10.0.0.6 - 0 - - - False -
    00000000-0000-0000-0600-0080000000c9 2016-08-11 15:32:05 10.0.0.7 GET /adfs/ls/ ?wa=wsignin1.0&wtrealm=https%3a%2f%2fweb.piaudonn.com%2fclaimy%2f&wctx=rm%3d0%26id%3dpassive%26ru%3d%252fclaimy%252fdefault.aspx&wct=2016-08-11T15%3a32%3a05Z 443 10.0.0.6 Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 0 - - - True adfsproxy01
    00000000-0000-0000-9658-0080000000b3 2016-08-11 15:31:58 10.0.0.7 GET /adfs/Proxy/GetConfiguration - 443 10.0.0.6 - 0 - - - False -
    00000000-0000-0000-0500-0080000000c9 2016-08-11 15:31:50 10.0.0.7 GET /adfs/ls/ ?wa=wsignin1.0&wtrealm=https%3a%2f%2fweb.piaudonn.com%2fclaimy%2f&wctx=rm%3d0%26id%3dpassive%26ru%3d%252fclaimy%252fdefault.aspx&wct=2016-08-11T15%3a31%3a50Z 443 10.0.0.6 Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 0 - - - True adfsproxy01
    00000000-0000-0000-642e-0080000000e1 2016-08-11 15:31:36 10.0.0.7 GET /adfs/Proxy/webapplicationproxy/store ?api-version=1 443 10.0.0.6 - 0 - - - False -
    00000000-0000-0000-0400-0080000000c9 2016-08-11 15:31:11 10.0.0.7 GET /adfs/ls/ ?wa=wsignin1.0&wtrealm=https%3a%2f%2fweb.piaudonn.com%2fclaimy%2f&wctx=rm%3d0%26id%3dpassive%26ru%3d%252fclaimy%252fdefault.aspx&wct=2016-08-10T19%3a18%3a32Z 443 10.0.0.6 Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 0 - - - True adfsproxy01
    00000000-0000-0000-0300-0080000000c9 2016-08-11 15:31:09 10.0.0.7 POST /adfs/ls/ ?wa=wsignin1.0&wtrealm=https%3a%2f%2fweb.piaudonn.com%2fclaimy%2f&wctx=rm%3d0%26id%3dpassive%26ru%3d%252fclaimy%252fdefault.aspx&wct=2016-08-10T19%3a18%3a32Z 443 10.0.0.6 Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 81 - - - True adfsproxy01
    00000000-0000-0000-632e-0080000000e1 2016-08-11 15:31:06 10.0.0.7 GET /adfs/Proxy/webapplicationproxy/store ?api-version=1 443 10.0.0.6 - 0 - - - False -
    00000000-0000-0000-9558-0080000000b3 2016-08-11 15:30:58 10.0.0.7 GET /adfs/Proxy/GetConfiguration - 443 10.0.0.6 - 0 - - - False -
    00000000-0000-0000-0200-0080000000c9 2016-08-11 15:30:55 10.0.0.7 GET /adfs/ls/ ?wa=wsignin1.0&wtrealm=https%3a%2f%2fweb.piaudonn.com%2fclaimy%2f&wctx=rm%3d0%26id%3dpassive%26ru%3d%252fclaimy%252fdefault.aspx&wct=2016-08-10T19%3a18%3a32Z 443 10.0.0.6 Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 0 - - - True adfsproxy01
    00000000-0000-0000-622e-0080000000e1 2016-08-11 15:30:36 10.0.0.7 GET /adfs/Proxy/webapplicationproxy/store ?api-version=1 443 10.0.0.6 - 0 - - - False -


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, August 11, 2016 8:53 PM
    Owner

All replies

  • The only logs I am aware of are the event logs for ADFS.

    Wednesday, August 10, 2016 7:00 PM
    Moderator
  • Yeah, but web logs are different from event logs. I don't understand why Microsoft left that out when they made the switchover... frustrates me..
    Thursday, August 11, 2016 6:14 AM
  • Every access generates logs as long as you enabled the audit. So the information is still there, just in a different format.

    Just an example:

    Get-WinEvent -FilterHashtable @{LogName="Security";ID=403} | %{ $_.Properties.Value -join " " }

    And here is the example of output:

    00000000-0000-0000-9758-0080000000b3 2016-08-11 15:32:58 10.0.0.7 GET /adfs/Proxy/GetConfiguration - 443 10.0.0.6 - 0 - - - False -
    00000000-0000-0000-662e-0080000000e1 2016-08-11 15:32:36 10.0.0.7 GET /adfs/Proxy/webapplicationproxy/store ?api-version=1 443 10.0.0.6 - 0 - - - False -
    00000000-0000-0000-652e-0080000000e1 2016-08-11 15:32:06 10.0.0.7 GET /adfs/Proxy/webapplicationproxy/store ?api-version=1 443 10.0.0.6 - 0 - - - False -
    00000000-0000-0000-0600-0080000000c9 2016-08-11 15:32:05 10.0.0.7 GET /adfs/ls/ ?wa=wsignin1.0&wtrealm=https%3a%2f%2fweb.piaudonn.com%2fclaimy%2f&wctx=rm%3d0%26id%3dpassive%26ru%3d%252fclaimy%252fdefault.aspx&wct=2016-08-11T15%3a32%3a05Z 443 10.0.0.6 Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 0 - - - True adfsproxy01
    00000000-0000-0000-9658-0080000000b3 2016-08-11 15:31:58 10.0.0.7 GET /adfs/Proxy/GetConfiguration - 443 10.0.0.6 - 0 - - - False -
    00000000-0000-0000-0500-0080000000c9 2016-08-11 15:31:50 10.0.0.7 GET /adfs/ls/ ?wa=wsignin1.0&wtrealm=https%3a%2f%2fweb.piaudonn.com%2fclaimy%2f&wctx=rm%3d0%26id%3dpassive%26ru%3d%252fclaimy%252fdefault.aspx&wct=2016-08-11T15%3a31%3a50Z 443 10.0.0.6 Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 0 - - - True adfsproxy01
    00000000-0000-0000-642e-0080000000e1 2016-08-11 15:31:36 10.0.0.7 GET /adfs/Proxy/webapplicationproxy/store ?api-version=1 443 10.0.0.6 - 0 - - - False -
    00000000-0000-0000-0400-0080000000c9 2016-08-11 15:31:11 10.0.0.7 GET /adfs/ls/ ?wa=wsignin1.0&wtrealm=https%3a%2f%2fweb.piaudonn.com%2fclaimy%2f&wctx=rm%3d0%26id%3dpassive%26ru%3d%252fclaimy%252fdefault.aspx&wct=2016-08-10T19%3a18%3a32Z 443 10.0.0.6 Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 0 - - - True adfsproxy01
    00000000-0000-0000-0300-0080000000c9 2016-08-11 15:31:09 10.0.0.7 POST /adfs/ls/ ?wa=wsignin1.0&wtrealm=https%3a%2f%2fweb.piaudonn.com%2fclaimy%2f&wctx=rm%3d0%26id%3dpassive%26ru%3d%252fclaimy%252fdefault.aspx&wct=2016-08-10T19%3a18%3a32Z 443 10.0.0.6 Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 81 - - - True adfsproxy01
    00000000-0000-0000-632e-0080000000e1 2016-08-11 15:31:06 10.0.0.7 GET /adfs/Proxy/webapplicationproxy/store ?api-version=1 443 10.0.0.6 - 0 - - - False -
    00000000-0000-0000-9558-0080000000b3 2016-08-11 15:30:58 10.0.0.7 GET /adfs/Proxy/GetConfiguration - 443 10.0.0.6 - 0 - - - False -
    00000000-0000-0000-0200-0080000000c9 2016-08-11 15:30:55 10.0.0.7 GET /adfs/ls/ ?wa=wsignin1.0&wtrealm=https%3a%2f%2fweb.piaudonn.com%2fclaimy%2f&wctx=rm%3d0%26id%3dpassive%26ru%3d%252fclaimy%252fdefault.aspx&wct=2016-08-10T19%3a18%3a32Z 443 10.0.0.6 Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 0 - - - True adfsproxy01
    00000000-0000-0000-622e-0080000000e1 2016-08-11 15:30:36 10.0.0.7 GET /adfs/Proxy/webapplicationproxy/store ?api-version=1 443 10.0.0.6 - 0 - - - False -


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, August 11, 2016 8:53 PM
    Owner
  • Does this help?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, August 16, 2016 12:01 AM
    Owner