When trying to troubleshoot AD FS claim rules, often I find myself going back and forth in the Security event log. But the interface doesn’t really allow to easily see whether the message is relevant or not. Here’s small PowerShell command, which probably can be optimized in many ways, that will print the last 60 (staring from the most recent) events that match the AD FS 2.0 Auditing source. Just press enter to go to the next event. Events are separate by a green dotted line.
get-eventlog Security -newest 60 | where-object {$_.Source -eq "AD FS 2.0 Auditing"}| % {write-host -foregroundcolor green "----------------------------------------------------";read-host " "; $_.message| fl}
Or even a bit more elaborate: a small script which allows you to go down, but also back up if you missed something:
$events = get-eventlog Security -newest 60 | where-object {$_.Source -eq "AD FS 2.0 Auditing"}|
$i = 0
while($i -lt $events.count -and $i -gt -1){
write-host -foregroundcolor green "------------------$i-----------------------"
$events[$i].message
write-host ""
write-host ""
$direction = read-host "Continue? u(p) or d(own) [$default]"
if($direction -eq $null -or $direction -eq ""){$direction = $default}
if($direction -like "u"){
$default = "u"
$i--
}
else{
$default = "d"
$i++
}
$direction = $null
}
You can just copy paste this in a prompt, not even necessary to create a ps1 file for this. Although I can only encourage to modify this sample so you can easier find your needle in a haystack!