AD FS Auditing Events Dropping from Windows Pack

talantacp

The Microsoft Windows Events pack is currently dropping "SourceName=AD FS Auditing" events from the Security logs. I found the two lines that are not properly filtering the events.

1. Pipeline: Windows Classic Events, "Final Cleanup" lines 27 & 28, (Serialize & Eval).

I turned it off, but still working to get the events to not drop and convert to json.

Q: Wondering if this filter is currently being updated/corrected?

Jon Rust

There is an update to the Windows Pack coming soon. Big, enormous update. But just in case, if you could send a sample of the events being missed, Ill get with the Pack author (Amazin David Maislin) to make sure we handle this correctly. (DM in Slack would be best.)