Windows NPS Logs
Updated Aug 31, 2023Configure Windows NPS to send logs to Arctic Wolf
Note: Before starting this procedure, discuss this log forwarding option with your Concierge Security® Team.
You can configure Windows Network Policy Server® (NPS) to send the necessary logs to Arctic Wolf for monitoring security information.
Requirements
- Activated Arctic Wolf Sensor
-
AD Sensor
See Active Directory Sensor Installation for installation instructions.
Steps
- Configure Windows NPS log file properties.
- Configure NXLog to forward NPS logs to your Arctic Wolf appliance.
- Contact your CST.
Step 1: Configure Windows NPS log file properties
-
Open the NPS console or NPS Microsoft Management Console (MMC).
-
In the navigation menu, click Policies > Accounting.
-
In the Log File Properties section, click Change Log File Properties.
-
In the Log File Properties dialog box, click the Settings tab.
-
In the Log the following information section, select the following checkboxes:
- Accounting requests
- Authentication requests
- Periodic accounting status
- Periodic authentication status
-
In the Logging failure action section, select the If logging fails, discard connection requests checkbox.
-
Click the Log File tab.
-
In the Directory field, enter the location where you want to store NPS log files.
If you do not enter a path, the default location is the
C:\Windows\System32\LogFiles
folder. -
In the Format list, select ODBC (legacy).
-
In the Create a new log file section, select Daily.
-
Select the When disk is full delete older log files checkbox.
-
Click OK.
Step 2: Configure NXLog to forward NPS logs to your Arctic Wolf appliance
-
Using a text editor, open the
nxlog.conf
file. -
Add the following input to the
nxlog.conf
file, where<nps_log_file_location>
defines the location of the NPS logs flat file:<Input in_NPS> Module im_file File "<nps_log_file_location>.log" SavePos TRUE ReadFromLast TRUE Exec $Message = $raw_event; Exec $Hostname = hostname() + "-NPS"; </Input>
For example, if the location of the NPS logs is
G:\NPSLogs\*.log
, the input is:<Input in_NPS> Module im_file File "G:\\NPSLogs\\\*.log" SavePos TRUE ReadFromLast TRUE Exec $Message = $raw_event; Exec $Hostname = hostname() + "-NPS"; </Input>
NXLog version 2.x only supports
G:\\NPSLogs\\\*.log
, with three backslashes, whereas NXLog 3.x supportsG:\\NPSLogs\\*.log
, with two backslashes. See the NXLog guidelines for Quoting and escaping strings for more information. -
In the route section, edit the
Path
to include the new input event that you want to output. For example, if the input event isin_NPS
, the path is:<Route 1> Path in_AD, in_EVENT, in_DNS, in_DHCP, in_NPS => out </Route>
-
Save the
nxlog.conf
file changes. -
Restart the NXLog service.
Step 3: Contact your CST
- Contact your Concierge Security® Team to inform them that you have configured syslog forwarding, and to validate that the logs are being ingested appropriately. Include the following information:
- Confirmation that you have completed the steps in this configuration guide.
- The IP address you used during the configuration.
- Any other questions or comments that you have.