NXLog for auditing ADFS on Windows Server 2016
PowerShell commands for auditing ADFS on Windows Server 2016
ADFS audit configuration in Group Policy on Windows Server 2016
Enable the ADFS service account on Windows Server 2016
ADFS logs for troubleshooting
Send ADFS logs to Arctic Wolf

NXLog for auditing ADFS on Windows Server 2016 Direct link to this section

Active Directory Federation Services (ADFS) is a software component that can run on Windows Server operating systems to provide users with single sign-on (SSO) access to systems and applications located across organizational boundaries. This page explains how to enable auditing for ADFS, and how to send audit logs to Arctic Wolf using NXLog, for Windows Server 2016.

PowerShell commands for auditing ADFS on Windows Server 2016 Direct link to this section

By default, basic auditing is enabled for ADFS on Windows Server 2016. However, there are some basic PowerShell commands you can run to adjust the level of auditing for ADFS:

Command	Description
`Set-AdfsProperties -AuditLevel Basic`	Log no more than five events for a single request.
`Set-AdfsProperties -AuditLevel None`	Do not log audit events.
`Set-AdfsProperties -AuditLevel Verbose`	Log a significant number of events.
`Get-AdfsProperties`	View and/or verify the current auditing level.
`Set-AdfsProperties -EnableExtranetLockout $true -ExtranetLockoutThreshold 8 -ExtranetObservationWindow (new-timespan -Minutes 15)`	Turn on Extranet Lockout.
`Set-AdfsProperties -AddBannedIps "1.2.3.4", "::3", "1.2.3.4/16"`	Add block IP addresses to ADFS.
Set-AdfsProperties -LogLevel ` `((Get-AdfsProperties).LogLevel+'SuccessAudits','FailureAudits')`	Use the Windows Internal Database (WID) as the storage method for the ADFS configuration database. Note: You must run these commands on the primary ADFS server.

ADFS audit configuration in Group Policy on Windows Server 2016 Direct link to this section

Based on Microsoft best practices, all Group Policy Objects (GPOs) that apply to ADFS servers should only apply to them and not other servers as well. See Arctic Wolf Group Policy Object Advanced Audit Policy for a starting point. Note, however, that some items do not apply if the ADFS server is not also a domain controller (DC).

Enable the ADFS service account on Windows Server 2016 Direct link to this section

The ADFS service account is disabled by default.

Note: Events from the auditing levels above the service account are independent of the default options on the Events tab of the ADFS properties.

To enable the ADFS service account:

Click Start, and then select Programs > Administrative Tools > Local Security Policy.

Tip: Microsoft recommends using the Local Security Policy application for this process.
Navigate to the Security Settings\Local Policies\User Rights Assignment folder, and then double-click Generate security audits.
On the Local Security Setting tab, verify that the ADFS service account is listed. If it is:
- Not present — Click Add User or Group and then add it to the list. Click OK.
- Present — Proceed to the next step.

Open a command prompt with elevated privileges and run this command to enable auditing:

auditpol.exe /set /subcategory:"Application Generated" /failure:enable /success:enable

Close the Local Security Policy window.
Click Start, and then select Programs > Administrative Tools > ADFS Management to open the ADFS Management snap-in.
In the Actions pane, click Edit Federation Service Properties.
In the Federation Service Properties dialog box, click the Events tab.
Select Success audits and Failure audits, and then click OK.

Note: We recommend enabling Success audits and Failure audits on the ADFS Farm. To enable this, you must enable auditing using the Local Security Policy MMC snap-in.

ADFS logs for troubleshooting Direct link to this section

These are the primary logs used for ADFS troubleshooting:

Administrative log — Provides high-level information for issues. This logging is enabled by default.
Trace log — Generates in a short amount of time. This logging is disabled by default.

Send ADFS logs to Arctic Wolf Direct link to this section

Confirm that NXLog is installed on ADFS servers. See NXLog installation and version updates for more information.
Confirm that the nxlog.conf file for the Arctic Wolf Sensor, including Virtual Log Collectors (vLCs) or Virtual Sensors (vSensors), are installed in the same local area network.

Tip: The standard Arctic Wolf nxlog.conf file configuration used on your domain controller works for this process.
Confirm that NXLog is started.

ADFS Audit with NXLog

Installation Guide