Configure Windows NPS to send logs to Arctic Wolf

You can configure Windows Network Policy Server (NPS)® to send the necessary logs to Arctic Wolf®.

Note:

This is an optional configuration. Discuss this log forwarding option with your Concierge Security® Team (CST).

These resources are required:

An activated Arctic Wolf Sensor or Virtual Log Collector (vLC)
The nxlog.conf file
For more information, see Install Active Directory Sensor.
Note: Advanced audit policy GPO is not required for NPS logging.

These actions are required:

Install NXLog.
For more information, see Install NXLog.

Configure Windows NPS log file properties

Sign in to the NPS console or NPS Microsoft Management Console (MMC).
In the navigation menu, click Policies > Accounting.
In the Log File Properties section, click Change Log File Properties.
In the Log File Properties dialog, click the Settings tab.
In the Log the following information section, select these checkboxes:
- Accounting requests
- Authentication requests
- Periodic accounting status
- Periodic authentication status
In the Logging failure action section, select the If logging fails, discard connection requests checkbox.
Click the Log File tab.
In the Directory field, enter the location where you want to store NPS log files.

If you do not enter a path, the default location is the C:\Windows\System32\LogFiles folder.
In the Format list, select ODBC (legacy).
In the Create a new log file section, select Daily.
Select the When disk is full delete older log files checkbox.
Click OK.

Retrieve and configure nxlog.conf file

Sign in to the Arctic Wolf Unified Portal.
In the navigation menu, click Resources > Downloads.
In the Active Directory (AD) Sensor section, in the Receiving Sensor field, enter or select the IP address of your Arctic Wolf Sensor or Virtual Log Collector (vLC).
Click Download Sensor.
A zip file downloads on your device.
Navigate to the zip file, and then right-click it and select Extract All.
This action extracts the awn-ad-sensor folder, which contains the awn-ad-sensor.msi, nxlog.conf, and nxlog3.conf files.
Note:
- Don't move or delete these files.
- You don't need to install the AD sensor.
Based on the installed NXLog version, move the appropriate NXLog file to the NXLog directory.

Configure NXLog to forward NPS logs to your Arctic Wolf appliance

Note: NXLog version 2.x only supports G:\\NPSLogs\\\*.log, with three backslashes. NXLog version 3.x supports G:\\NPSLogs\\*.log, with two backslashes. For more information, see Quoting and escaping strings.

Using a text editor, open the nxlog.conf file.
Enter this input in the nxlog.conf file:
BASH
<Input in_NPS> Module im_file File "<nps_log_file_location>.log" SavePos TRUE ReadFromLast TRUE Exec $Message = $raw_event; Exec $Hostname = hostname() + "-NPS"; </Input>
```
<Input in_NPS>
    Module im_file
    File "<nps_log_file_location>.log"
    SavePos TRUE
    ReadFromLast TRUE
    Exec $Message = $raw_event;
    Exec $Hostname = hostname() + "-NPS";
</Input>
```
Where:
- nps_log_file_location defines the location of the NPS logs flat file.
For example, if the location of the NPS logs is G:\NPSLogs\*.log, the input is:
BASH
<Input in_NPS> Module im_file File "G:\\NPSLogs\\\*.log" SavePos TRUE ReadFromLast TRUE Exec $Message = $raw_event; Exec $Hostname = hostname() + "-NPS"; </Input>
```
<Input in_NPS>
    Module im_file
    File "G:\\NPSLogs\\\*.log"
    SavePos TRUE
    ReadFromLast TRUE
    Exec $Message = $raw_event;
    Exec $Hostname = hostname() + "-NPS";
</Input>
```
In the route section, edit the Path to include the new input event that you want to output.
For example, if the input event is in_NPS, the path is:
BASH
<Route 1> Path in_AD, in_EVENT, in_DNS, in_DHCP, in_NPS => out </Route>
```
<Route 1>
    Path    in_AD, in_EVENT, in_DNS, in_DHCP, in_NPS => out
</Route>
```
Save the nxlog.conf file changes.
Restart the NXLog service.

Provide configuration information to Arctic Wolf

Sign in to the Arctic Wolf Unified Portal.
In the navigation menu, click Tickets & Alerts > All Tickets.
Perform the appropriate action, depending on if you are:
- A new customer — In the Ticket Type list, select Onboarding. Then, click the existing [Deploy] Site Config: <ticket_subject> ticket.
- An existing customer — Click Open a New Ticket.
On the Open a New Ticket page, configure these settings:
- What is this ticket related to? — Select General request.
- Subject — Enter Syslog changes.
- Related ticket (optional) — Keep empty.
- Message — Enter this information for your Concierge Security® Team (CST):
  - Confirmation that you completed the steps in this configuration guide.
  - The IP address or hostname of the Arctic Wolf Sensor that you used during the configuration.
  - The IP address, timezone, and device type for all sources that you are forwarding.
  - Questions or comments that you have.
Click Send Message.

Your CST reviews the details to make sure that Arctic Wolf is successfully processing the logs.

Active Response, Log Forwarding, and Security Monitoring