Federation server events collection

Microsoft.ActiveDirectoryFederationServices.2016.FederationServerEventCollectionRule (Rule)

Knowledge Base article:

Element properties:

Member Modules:

Source Code:

<Rule ID="Microsoft.ActiveDirectoryFederationServices.2016.FederationServerEventCollectionRule" Enabled="true" Target="Microsoft.ActiveDirectoryFederationServices.2016.FederationServer" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">

  <Category>EventCollection</Category>

  <DataSources>

    <DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">

      <ComputerName>$Target/Host/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>

      <LogName>$Target/Property[Type="Microsoft.ActiveDirectoryFederationServices.2016.FederationServer"]/ADFSEventLog$</LogName>

      <Expression>

        <RegExExpression>

          <ValueExpression>

            <XPathQuery Type="String">PublisherName</XPathQuery>

          </ValueExpression>

          <Operator>MatchesMOM2005RegularExpression</Operator>

          <Pattern>(^AD FS$)</Pattern>

        </RegExExpression>

      </Expression>

    </DataSource>

  </DataSources>

  <WriteActions>

    <WriteAction ID="WriteToDB" TypeID="SC!Microsoft.SystemCenter.CollectEvent"/>

    <WriteAction ID="WriteToDW" TypeID="SCDW!Microsoft.SystemCenter.DataWarehouse.PublishEventData"/>

  </WriteActions>

</Rule>