ADFS, WAP and Logging RRS feed

  • Question

  • I've done a fair amount of searching and this question escapes me.  When setting up a Web Application Proxy (Win2012R2), where are the security logs.  I know there is an application log for ADFS on the WAP but I don't see where say traffic logs are available.  Being as the WAP is an Internet facing device, I should think there are traffic logs available.  Can someone point me in the right direction??  TIA.

    BTW:  I asked this first in the Remote Desktop Services forum, they said that was the wrong forum and to ask here...

    Friday, February 7, 2014 2:08 PM

All replies

  • Hi,

    To find more logging:

    1. In the Event Logs Microsoft-Windows-WebApplicationProxy/Admin and ADFS/Admin

    2. Check ADFS log on the ADFS farm server.

    3. You can enable analytic and debug logging in Event Viewer to get ETW tracing.

    Please refer to the below link for more details:

    Configure event logging on a federation server proxy



    Yan Li

    Regards, Yan Li

    Monday, February 10, 2014 9:42 AM
  • Hi Yan,

    Thank you for the reply.  I unfortunately have already looked at this, these are known as "Operational" logs.  As noted in the description:  "On a federation server proxy, events in the Application log contain additional information about errors regarding contact with the Federation Service."  I'm looking for "Traffic & User Audit" logs.  That is to say when items are exposed to the Internet it is common practice to feed telemetry data to security devices likes SIEM's.  So someone tried to brute force a login (and by the way I am aware of setting the ADFS Extranet Lockout), user XYZ logged in from two different places in the same hour but they are totally different subnet's that geo-locate to physically different locations.  That kind of awareness if provided by SIEM's.  SIEM's in turn rely on real time flow and event log data.  And that is usually gathered at the end-point.  So that is where I seem to be having a problem finding log data.  And while I see you can enable Debug and ETW events, I think those are related to Operational events, and even if they are not - that seems a bit unconventional (using high resource debug) for typical flow and event log traffic data.  Surly an external facing device dealing with authentication must have typical traffic flow event data logs?

    Monday, February 10, 2014 1:13 PM
  • Hi!

    Any updates on this? Curious as well.

    Are there any Traffic & User audit logs?

    There's a new blog in town: http://msfreaks.wordpress.com

    Friday, June 13, 2014 9:48 AM
  • To the best of my knowledge no traffic logs (can always use performance counters?), but user login audit events can be turned on/off by changing your federation service properties (on an ADFS server, not ADFS proxy) - see the Events tab.

    The best link I could find quickly was for AD FS 2.0, but it still applies to AD FS 3.0 as well - see http://technet.microsoft.com/en-us/library/adfs2-troubleshooting-configuring-computers(WS.10).aspx#bkmk_ConfigureAuditing.  You might need to restart the AD FS server for changes to take effect - can't remember all that well.

    Friday, July 4, 2014 3:01 AM
  • Apply a GPO to your internal ADFS servers. Not the WAP servers.

    Set Advanced Audit Policy in the GPO. Enable both Success and Failure for the "audit application generated" category.

    After the new GPO advanced audit policy is applied, you'll see the external source IP address and UPN of any failed ADFS authentications coming from the WAP servers. 

    It will be in the Security Event logs on the internal ADFS servers. Filter on event ID #411.

    Friday, April 13, 2018 5:31 PM
  • We have published applications using Pass through authentication in WAP(2012 R2) and we are not relying on ADFS for authentication. We need logs to find out who and when the application was accessed(For Security Reasons). Please let us know if there are any user access logs for audit purpose? We already checked Admin logs for WAP but it doesn't give us enough information.
    Saturday, May 25, 2019 5:32 AM
  • Dea4 All, Any inputs or suggestions on this. Awaiting you kind response. Thanks & Regards, Pankaj
    Saturday, June 8, 2019 2:23 AM