Remotely search AD FS event logs of all ADFS Servers for specific UPN

This script enables you to remotely search the event logs of all ADFS servers for a particular UPN (email address) and log those events, and optionally related events based on the InstanceIDs.

Configure $servers to reflect the ADFS servers you wish to query.

Configure $queryXTRA per your requirement for the extra logs based on the InstanceID

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
# ADFS Event Log Query - Search by UPN
cls
$start = (Get-Date).AddHours(-96)
#$start = [datetime]"3/28/2018 2:00:00 PM" # "3/27/2018 11:00:00 AM"
$end = Get-Date
#$end = [datetime]"3/28/2018 4:00:00 PM" # "3/27/2018 11:30:00 AM"

$logfile = "C:\users\public\ADFSlogging_$(Get-Date -f yyyy-MM-dd_HH_mm_ss).txt"
$xmlfile = "C:\users\public\ADFSlogging_$(Get-Date -f yyyy-MM-dd_HH_mm_ss).xml"
$servers = "server1.domain.com", "server2.domain.com"
$queryXTRA  = $true # $true / $false ; Queries and logs the additional associated events based on the activityID / transactionID
#==================================================================================================================================
$xtraInstances = New-Object System.Collections.ArrayList
Add-Content -Path $xmlfile -Value "<xml>" -Encoding Ascii
    # START UPN Search
    $searchInput = Read-Host -Prompt "Enter UPN to query (username@domain.com)"    
    Add-Content -Path $logfile -Value "Searching for UPN: $searchInput"
    ForEach ($server in $servers){
        Write-Host ":::: Processing $server..." -ForegroundColor Yellow
        Add-Content -Path $logfile -Value  ":::: Processing $server..."
        $events = Get-WinEvent -FilterHashtable @{Logname = 'security'; Data = $searchInput; ProviderName = 'AD FS Auditing'; StartTime = $start; EndTime = $end}  -ComputerName $server -ErrorVariable EvtERR -ErrorAction SilentlyContinue
        If (!$EvtERR){            
            ForEach ($entry in $events){
                $event = [xml]$entry[0].ToXml()
                $InstanceID = $event.Event.EventData.Data[0]                
                $upn = $entry.Message -match [regex]::Escape($searchInput) # "\w+(-+.']\w+)*@domain\.com" # optional regex for matching domain email / upn
                $timestamp = $entry.TimeCreated
                $eventID = $entry.Id
                If ($upn){                    
                    Add-Content -Path $logfile -Value "MSG: $($entry.Message)"
                    Write-Host "UPN: $($matches[0])`tEventID: $eventID`tTimestamp: $timestamp`tInstanceID: $InstanceID" -ForegroundColor Cyan  
                    Add-Content -Path $logfile -Value "UPN: $($matches[0])`tEventID: $eventID`tTimeStamp: $timestamp`tInstanceID: $InstanceID"
                    Add-Content -Path $logfile -Value ":::: =================================================================== ::::"
                    If ($queryXTRA -eq $true){                                                
                        If ($xtraInstances -notcontains $InstanceID){
                            $xtraInstances.Add($InstanceID)
                        }
                    }
                }
            }      
        }Else{
           #Add-Content -Path $logfile -Value $EvtERR  
        }        
        # poll extra events
        If ($queryXTRA -eq $true){
            ForEach ($Instance in $xtraInstances){
                # Query logs for InstanceID
                $xEvents = Get-WinEvent -FilterHashtable @{Logname = 'security'; Data = $Instance; ProviderName = 'AD FS Auditing'; StartTime = $start; EndTime = $end}  -ComputerName $server -ErrorVariable xEvtERR -ErrorAction SilentlyContinue
                If (!$xEvtERR){
                    Write-Host "Found extra events for $Instance" -ForegroundColor Yellow
                    $xEvents.count
                    ForEach ($entry in $events){
                        $event = [xml]$entry[0].ToXml()                                
                        Add-Content -Path $xmlfile -Value $event.InnerXML.Replace('<Data>-</Data>','') -Encoding Ascii
                    }
                }
            }
        }
    }
    # END UPN Search
Add-Content -Path $xmlfile -Value "</xml>" -Encoding Ascii
start $logfile
start $xmlfile

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.