I've done a fair amount of searching and this question escapes me. When setting up a Web Application Proxy (Win2012R2), where are the security logs. I know there is an application log for ADFS on the WAP but I don't see where say traffic logs are available. Being as the WAP is an Internet facing device, I should think there are traffic logs available. Can someone point me in the right direction?? TIA.
BTW: I asked this first in the Remote Desktop Services forum, they said that was the wrong forum and to ask here...
To find more logging:
1. In the Event Logs Microsoft-Windows-WebApplicationProxy/Admin and ADFS/Admin
2. Check ADFS log on the ADFS farm server.
3. You can enable analytic and debug logging in Event Viewer to get ETW tracing.
Please refer to the below link for more details:
Configure event logging on a federation server proxy
Regards, Yan Li
Thank you for the reply. I unfortunately have already looked at this, these are known as "Operational" logs. As noted in the description: "On a federation server proxy, events in the Application log contain additional information about errors regarding contact with the Federation Service." I'm looking for "Traffic & User Audit" logs. That is to say when items are exposed to the Internet it is common practice to feed telemetry data to security devices likes SIEM's. So someone tried to brute force a login (and by the way I am aware of setting the ADFS Extranet Lockout), user XYZ logged in from two different places in the same hour but they are totally different subnet's that geo-locate to physically different locations. That kind of awareness if provided by SIEM's. SIEM's in turn rely on real time flow and event log data. And that is usually gathered at the end-point. So that is where I seem to be having a problem finding log data. And while I see you can enable Debug and ETW events, I think those are related to Operational events, and even if they are not - that seems a bit unconventional (using high resource debug) for typical flow and event log traffic data. Surly an external facing device dealing with authentication must have typical traffic flow event data logs?
To the best of my knowledge no traffic logs (can always use performance counters?), but user login audit events can be turned on/off by changing your federation service properties (on an ADFS server, not ADFS proxy) - see the Events tab.
The best link I could find quickly was for AD FS 2.0, but it still applies to AD FS 3.0 as well - see http://technet.microsoft.com/en-us/library/adfs2-troubleshooting-configuring-computers(WS.10).aspx#bkmk_ConfigureAuditing. You might need to restart the AD FS server for changes to take effect - can't remember all that well.