Windows NPS Logs

Configuration Guide

Updated Feb 22, 2023

Windows NPS Logs

Configure Windows NPS to send logs to Arctic Wolf Direct link to this section

Note: Before starting this procedure, discuss this log forwarding option with your Concierge Security® Team.

You can configure Windows Network Policy Server (NPS) to send the necessary logs to Arctic Wolf for monitoring security information.

Requirements Direct link to this section

Steps Direct link to this section

  1. Configure Windows NPS log file properties.
  2. Configure NXLog to forward NPS logs to your Arctic Wolf appliance.
  3. Contact your Concierge Security® Team to inform them that you have configured syslog forwarding, and to validate that the logs are being ingested appropriately. Include the following information:
    • Confirmation that you have completed the steps in this configuration guide.
    • The IP address you used during the configuration.
    • Any other questions or comments that you have.

Step 1: Configure Windows NPS log file properties Direct link to this section

  1. Open the NPS console or NPS Microsoft Management Console (MMC).

  2. In the navigation menu, click Policies > Accounting.

  3. In the Log File Properties section, click Change Log File Properties.

  4. In the Log File Properties dialog box, click the Settings tab.

  5. In the Log the following information section, select the following checkboxes:

    • Accounting requests
    • Authentication requests
    • Periodic accounting status
    • Periodic authentication status
  6. In the Logging failure action section, select the If logging fails, discard connection requests checkbox.

  7. Click the Log File tab.

  8. In the Directory field, enter the location where you want to store NPS log files. If you do not enter a path, the default location is the systemroot\System32\LogFiles folder.

  9. In the Format list, select ODBC (legacy).

  10. In the Create a new log file section, select Daily.

  11. Select the When disk is full delete older log files checkbox.

  12. Click OK.

Step 2: Configure NXLog to forward NPS logs to your Arctic Wolf appliance Direct link to this section

  1. Using a text editor, open the nxlog.conf file.

  2. Add the following input to the nxlog.conf file, where <nps_log_file_location> defines the location of the NPS logs flat file:

    <Input in_NPS>
    Module im_file
    File "<nps_log_file_location>.log"
    SavePos TRUE
    ReadFromLast TRUE
    Exec $Message = $raw_event;
    Exec $Hostname = hostname() + "-NPS";
    </Input>

    For example, if the location of the NPS logs is G:\\NPSLogs\\*.log, the input is:

    <Input in_NPS>
    Module im_file
    File "G:\\NPSLogs\\*.log"
    SavePos TRUE
    ReadFromLast TRUE
    Exec $Message = $raw_event;
    Exec $Hostname = hostname() + "-NPS";
    </Input>
  3. In the route section, edit the Path to include the new input event that you want to output. For example, if the input event is in_NPS, the path is:

    <Route 1>
    Path in_AD, in_EVENT, in_DNS, in_DHCP, in_NPS => out
    </Route>
  4. Save the nxlog.conf file changes.

  5. Restart the NXLog service.

See also Direct link to this section