ADFS Audit Event Collector

Console Output

This would be the console output

Claims for: https://myadfs/ (Correlation: 84b46102-3ed2-4ff2-88ac-eace0709667c)
        http://schemas.microsoft.com/ws/2008/06/identity/claims/organization : myadfs
        http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant : 2012-04-12T21:15:32.410Z
        http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod : http://schemas.microsoft.com/ws/20
enticationmethod/windows
        http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid : S-1-5-21-1409732942-2814574796-20323036
        http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid : S-1-5-21-1409732942-2814574796-203230364-513
        http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid : S-1-1-0
        http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid : S-1-5-32-545
        http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid : S-1-5-2
        http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid : S-1-5-11
        http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid : S-1-5-15
Claims for: https://myapp/login/ (Correlation: 05d859fc-dcf0-4038-95d6-3678d559c6b2)
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress : [email protected]
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name : John Doe
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname : Johhn
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn : jdoe
        http://schemas.xxxx.com/project : *
        http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod : http://schemas.microsoft.com/ws/20
enticationmethod/windows
        http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant : 2012-04-12T21:15:32.410Z

Program.cs

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Diagnostics.Eventing.Reader;
using System.Configuration;
using System.Reactive.Linq;

namespace AdfsEventLog
{
    class Program
    {
        class AdfsAuditEventLogListener
        {
            private EventLogWatcher watcher;

            public AdfsAuditEventLogListener(string logName, string query)
            {
                var events = Observable.FromEventPattern<EventRecordWrittenEventArgs>(
                    handler => this.watcher.EventRecordWritten += handler,
                    handler => this.watcher.EventRecordWritten -= handler);

                this.watcher = new EventLogWatcher(new EventLogQuery(logName, PathType.LogName, query));
                var pairs = events
                              .Where(e299 => e299.EventArgs.EventRecord.Id == 299)
                              .SelectMany(e299 => events.Where(e500 => e500.EventArgs.EventRecord.Id == 500 &&
                                                                       e299.EventArgs.EventRecord.Properties[0].Value.ToString() ==
                                                                       e500.EventArgs.EventRecord.Properties[0].Value.ToString())
                                                        .Take(1),
                                         (e299, e500) => new { First = e299, Second = e500 });


                pairs.Subscribe(r =>
                {
                    this.SuccessEventsWritten(this, new SuccessEventsWrittenEventArgs { Logs = new List<EventRecord>(new[] { r.First.EventArgs.EventRecord, r.Second.EventArgs.EventRecord }) });
                });
            }

            public event EventHandler<SuccessEventsWrittenEventArgs> SuccessEventsWritten;

            public void Start()
            {
                this.watcher.Enabled = true;
            }

            public void Stop()
            {
                this.watcher.Enabled = false;
            }

        }

        class SuccessEventsWrittenEventArgs : EventArgs
        {
            public IList<EventRecord> Logs { get; set; }
        }

        static void Main(string[] args)
        {
            var listener = new AdfsAuditEventLogListener("Security", "*[System[(EventID=500 or EventID=299)]]");
            listener.SuccessEventsWritten += (sender, arg) =>
            {
                Console.ForegroundColor = ConsoleColor.DarkGreen;

                var e299 = arg.Logs.SingleOrDefault(@event => @event.Id == 299);
                var e500 = arg.Logs.SingleOrDefault(@event => @event.Id == 500);

                Console.WriteLine("Claims for: {0} (Correlation: {1})", e299.Properties[1].Value.ToString(), e299.Properties[0].Value.ToString());
                
                Console.ForegroundColor = ConsoleColor.Yellow;
                
                Console.WriteLine("\t{0}", string.Join("\n\t", e500.Properties
                                                                .Skip(1)
                                                                .Where(e => e.Value.ToString() != "-")
                                                                .PairUp()
                                                                .Select(t => t.Item1.Value.ToString() + " : " + t.Item2.Value.ToString())
                                                                .ToArray()));
            };

            listener.Start();

            Console.WriteLine("Listening...");
            Console.ReadLine();

            listener.Stop();
        }
    }

    public static class EnumerableExtensions
    {
        public static IEnumerable<Tuple<T, T>> PairUp<T>(this IEnumerable<T> source)
        {
            using (var iterator = source.GetEnumerator())
            {
                while (iterator.MoveNext())
                {
                    var first = iterator.Current;
                    var second = iterator.MoveNext() ? iterator.Current : default(T);
                    yield return Tuple.Create(first, second);
                }
            }
        }
    }
}