Windows NPS Logs

Updated Jan 31, 2024

Configure Windows NPS to send logs to Arctic Wolf

You can configure Windows Network Policy Server (NPS)® to send the necessary logs to Arctic Wolf®.

Requirements

Before you begin

Steps

  1. Configure Windows NPS log file properties.
  2. Configure NXLog to forward NPS logs to your Arctic Wolf appliance.
  3. Provide your Windows NPS information to Arctic Wolf.

Step 1: Configure Windows NPS log file properties

  1. Sign in to the NPS console or NPS Microsoft Management Console (MMC).

  2. In the navigation menu, click Policies > Accounting.

  3. In the Log File Properties section, click Change Log File Properties.

  4. In the Log File Properties dialog, click the Settings tab.

  5. In the Log the following information section, select these checkboxes:

    • Accounting requests
    • Authentication requests
    • Periodic accounting status
    • Periodic authentication status
  6. In the Logging failure action section, select the If logging fails, discard connection requests checkbox.

  7. Click the Log File tab.

  8. In the Directory field, enter the location where you want to store NPS log files. If you do not enter a path, the default location is the C:\Windows\System32\LogFiles folder.

  9. In the Format list, select ODBC (legacy).

  10. In the Create a new log file section, select Daily.

  11. Select the When disk is full delete older log files checkbox.

  12. Click OK.

Step 2: Configure NXLog to forward NPS logs to your Arctic Wolf appliance

  1. Using a text editor, open the nxlog.conf file.

  2. Enter this input to the nxlog.conf file:

    Note: NXLog version 2.x only supports G:\\NPSLogs\\\*.log, with three backslashes. NXLog 3.x supports G:\\NPSLogs\\*.log, with two backslashes. See Quoting and escaping strings for more information.

    <Input in_NPS>
        Module im_file
        File "<nps_log_file_location>.log"
        SavePos TRUE
        ReadFromLast TRUE
        Exec $Message = $raw_event;
        Exec $Hostname = hostname() + "-NPS";
    </Input>

    Where:

    • <nps_log_file_location> defines the location of the NPS logs flat file.

    For example, if the location of the NPS logs is G:\NPSLogs\*.log, the input is:

    <Input in_NPS>
        Module im_file
        File "G:\\NPSLogs\\\*.log"
        SavePos TRUE
        ReadFromLast TRUE
        Exec $Message = $raw_event;
        Exec $Hostname = hostname() + "-NPS";
    </Input>

    NXLog version 2.x only supports G:\\NPSLogs\\\*.log, with three backslashes, whereas NXLog 3.x supports G:\\NPSLogs\\*.log, with two backslashes.

    See Quoting and escaping strings for more information.

  3. In the route section, edit the Path to include the new input event that you want to output. For example, if the input event is in_NPS, the path is:

    <Route 1>
        Path    in_AD, in_EVENT, in_DNS, in_DHCP, in_NPS => out
    </Route>
  4. Save the nxlog.conf file changes.

  5. Restart the NXLog service.

Step 3: Provide your Windows NPS information to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.

  2. Click > Open a New Ticket.

  3. On the Open a New Ticket page, configure these settings:

    • What is this ticket related to? — Select General request.
    • Subject — Enter Syslog changes.
    • Related ticket (optional) — Keep empty.
    • Message — Enter this information for your Concierge Security® Team (CST):
      • Confirmation that you completed the steps in this configuration guide.
      • The IP address or hostname you used during the configuration.
      • Questions or comments that you have.
  4. Click Send Message.

    Your CST will review the details and make sure that Arctic Wolf is successfully processing the logs.

See also