Given an ADFS setup with 2 Windows 2012 R2 AD FS servers and 2 Windows Server 2012 R2 WAP servers, what is the proper configuration to allow AD FS to log security events? I have followed the following instructions:
https://jorgequestforknowledge.wordpress.com/2013/07/08/enabling-auditing-of-issued-claims-in-adfs-v2-x-and-adfs-v3-x/
After following the instructions from the URL above I do see security events being logged, but there is a lot of incomplete information in the event body. An example being:
Event ID: 410
Following request context headers present :
Activity ID: 00000000-0000-0000-d800-0080000000f5
X-MS-Client-Application: -
X-MS-Client-User-Agent: -
client-request-id: -
X-MS-Endpoint-Absolute-Path: /adfs/Proxy/webapplicationproxy/store
X-MS-Forwarded-Client-IP: -
X-MS-Proxy: -
Another Example:
Event ID: 403
An HTTP request was received.
Activity ID: 00000000-0000-0000-d800-0080000000f5
Request Details:
Date And Time: 2015-06-04 15:59:50
Client IP: ###.###.###.###
HTTP Method: GET
Url Absolute Path: /adfs/Proxy/webapplicationproxy/store
Query string: ?api-version=1
Local Port: 443
Local IP: ###.###.###.###
User Agent: -
Content Length: 0
Caller Identity: -
Certificate Identity (if any): -
Targeted relying party: -
Through proxy: False
Proxy DNS name: -
Most of the important information is missing, like Target relying Party and so on. How can I make sure all the necessary information is being resolved and populated properly.
The end game here is to forward the relative events to a log monitoring service to make sense.
Thanks in Advance for any Help Given!