Windows NPS Logs
Configure Windows NPS to send logs to Arctic Wolf Direct link to this section
Note: Before starting this procedure, discuss this log forwarding option with your Concierge Security® Team.
You can configure Windows Network Policy Server (NPS) to send the necessary logs to Arctic Wolf for monitoring security information.
Requirements Direct link to this section
-
AD Sensor
See Active Directory Sensor Installation Instructions for installation instructions.
Steps Direct link to this section
- Configure Windows NPS log file properties.
- Configure NXLog to forward NPS logs to your Arctic Wolf appliance.
- Contact your Concierge Security® Team to inform them that you have configured syslog forwarding, and to validate that the logs are being ingested appropriately. Include the following information:
- Confirmation that you have completed the steps in this configuration guide.
- The IP address you used during the configuration.
- Any other questions or comments that you have.
Step 1: Configure Windows NPS log file properties Direct link to this section
-
Open the NPS console or NPS Microsoft Management Console (MMC).
-
In the navigation menu, click Policies > Accounting.
-
In the Log File Properties section, click Change Log File Properties.
-
In the Log File Properties dialog box, click the Settings tab.
-
In the Log the following information section, select the following checkboxes:
- Accounting requests
- Authentication requests
- Periodic accounting status
- Periodic authentication status
-
In the Logging failure action section, select the If logging fails, discard connection requests checkbox.
-
Click the Log File tab.
-
In the Directory field, enter the location where you want to store NPS log files. If you do not enter a path, the default location is the
systemroot\System32\LogFiles
folder. -
In the Format list, select ODBC (legacy).
-
In the Create a new log file section, select Daily.
-
Select the When disk is full delete older log files checkbox.
-
Click OK.
Step 2: Configure NXLog to forward NPS logs to your Arctic Wolf appliance Direct link to this section
-
Using a text editor, open the
nxlog.conf
file. -
Add the following input to the
nxlog.conf
file, where<nps_log_file_location>
defines the location of the NPS logs flat file:<Input in_NPS>
Module im_file
File "<nps_log_file_location>.log"
SavePos TRUE
ReadFromLast TRUE
Exec $Message = $raw_event;
Exec $Hostname = hostname() + "-NPS";
</Input>For example, if the location of the NPS logs is
G:\\NPSLogs\\*.log
, the input is:<Input in_NPS>
Module im_file
File "G:\\NPSLogs\\*.log"
SavePos TRUE
ReadFromLast TRUE
Exec $Message = $raw_event;
Exec $Hostname = hostname() + "-NPS";
</Input> -
In the route section, edit the
Path
to include the new input event that you want to output. For example, if the input event isin_NPS
, the path is:<Route 1>
Path in_AD, in_EVENT, in_DNS, in_DHCP, in_NPS => out
</Route> -
Save the
nxlog.conf
file changes. -
Restart the NXLog service.