ADFS Auditing Configuration on Windows Server

Updated Feb 20, 2024

NXLog for auditing ADFS

Active Directory Federation Services (ADFS) is a software component that provides users with single sign-on (SSO) access to systems and applications located across organizational boundaries. You can enable auditing for ADFS and send audit logs to Arctic Wolf® using NXLog.

These operating systems (OSes) are supported:

PowerShell commands for auditing ADFS

By default, basic auditing is enabled for ADFS. But, you can run these basic PowerShell commands to adjust the level of auditing for ADFS:

Note: You must run these commands on the primary ADFS server.

ADFS audit configuration in Group Policy

Based on Microsoft best practices, all Group Policy Objects (GPOs) that apply to ADFS servers should not apply to other servers. See Arctic Wolf Group Policy Object Advanced Audit Policy for more information. If the ADFS server is not also a domain controller (DC), some items do not apply.

Enable the ADFS service account

The ADFS service account is disabled by default.

Note: Events from the auditing levels above the service account are independent of the default options on the Events tab of the ADFS properties.

  1. Click Start > Programs > Administrative Tools > Local Security Policy.

    Tip: Microsoft recommends using the Local Security Policy application for this process.

  2. Navigate to the Security Settings\Local Policies\User Rights Assignment folder, and then double-click Generate security audits.

  3. On the Local Security Setting tab, verify that the ADFS service account is listed. If it is:

    • Not listed — Click Add User or Group, add it to the list, and then click OK.
    • Listed — Proceed to the next step.
  4. Open a command prompt with administrator permissions.

  5. Run this command to enable auditing:

    auditpol.exe /set /subcategory:"Application Generated" /failure:enable /success:enable
  6. Close the Local Security Policy window.

  7. Click Start > Programs > Administrative Tools > ADFS Management to open the ADFS Management snap-in.

  8. In the Actions pane, click Edit Federation Service Properties.

  9. In the Federation Service Properties dialog, click the Events tab.

  10. Select Success audits and Failure audits.

    Note: Arctic Wolf recommends enabling Success audits and Failure audits on the ADFS Farm. To enable this, you must enable auditing using the Local Security Policy MMC snap-in.

  11. Click OK.

ADFS logs for troubleshooting

These are the primary logs used for ADFS troubleshooting:

Send ADFS logs to Arctic Wolf

  1. Confirm that NXLog is installed on ADFS servers. See NXLog installation and version updates for more information.

  2. Confirm that the nxlog.conf file for the Arctic Wolf Sensor, including Virtual Log Collectors (vLCs) or Virtual Sensors (vSensors), is installed in the same local area network.

    Tip: The standard Arctic Wolf nxlog.conf file configuration used on your DC works for this process.

  3. Confirm that NXLog is started.