News and blog
NXLog main page
  • Products
    NXLog Platform
    Log collection
    Log management and analytics
    Log storage
    NXLog Community Edition
    Integrations
    Professional Services
  • Solutions
    Use cases
    Specific OS support
    SCADA/ICS
    Windows event log
    DNS logging
    MacOS logging
    Solutions by industry
    Financial Services
    Government & Education
    Entertainment & Gambling
    Telecommunications
    Medical & Healthcare
    Military & Defense
    Law Firms & Legal Counsel
    Industrial & Manufacturing
  • Plans
  • Partners
    Find a Reseller
    Partner Program
  • Resources
    Documentation
    Blog
    White papers
    Videos
    Webinars
    Case Studies
    Community Program
    Community Forum
  • About
    Company
    Careers
  • Support
    Support portals
    Contact us

NXLog Platform
Log collection
Log management and analytics
Log storage
NXLog Community Edition
Integrations
Professional Services

Use Cases
Specific OS support
SCADA/ICS
Windows event log
DNS logging
MacOS logging
Solutions by industry
Financial Services
Government & Education
Entertainment & Gambling
Telecommunications
Medical & Healthcare
Military & Defense
Law Firms & Legal Counsel
Industrial & Manufacturing


Find a Reseller
Partner Program

Documentation
Blog
White papers
Videos
Webinars
Case Studies
Community Program
Community Forum

Company
Careers

Support portals
Contact us
Let's Talk Start free
NXLog search
  • Loading...
Let's Talk Start free
June 26, 2024 security

Onboarding Microsoft NPS logs

By Roman Krasnov

Share
ALL SIEM STRATEGY SECURITY ANNOUNCEMENT DEPLOYMENT COMPLIANCE COMPARISON RSS

For those of us who manage network authentication and authorization, RADIUS is a familiar term. This protocol was introduced in the last century, and many of us from those days still remember the old-school diagrams, which surprisingly remain on the Cisco Systems website today.

Dial-in client requests to a RADIUS server
Figure 1. Interaction between dial-in user requests, the RADIUS client and server © Cisco

RADIUS, which stands for Remote Authentication Dial-In User Service, was developed to address a specific challenge. In the past, Internet Service Providers (ISPs) had pools of dial-up connection points, and managing access to the various networks was challenging. RADIUS was the answer to managing the different types of network access from a centralized, single point of administration.

Technically, RADIUS is a protocol that enables network devices (clients) to authenticate users with a RADIUS server. The RADIUS server validates the user credentials and notifies clients whether to grant or reject network access. That simple.

While the dial-up era has been over for many years, the challenge of unifying network authentication and authorization remains, and the RADIUS protocol is still in use. Nowadays, RADIUS helps with centralized authentication, authorization, and accounting for wireless devices, authenticating switch, remote access, and virtual private network (VPN) connections.

Multiple implementations of the RADIUS protocol (defined by RFC 2865 (2138) and RFC 2866 (2139)) exist, including the widely used Microsoft NPS and the open-source FreeRadius, both supported by NXLog.

Why use Microsoft NPS?

Microsoft Network Policy Server (NPS) is Microsoft’s implementation and extension of the RADIUS specifications. NPS allows you to manage and enforce organization-wide network access policies for connection requests.

Many RADIUS implementations store user credentials in clear text, making the server an attack vector and exposing the entire network to compromise. Hardening security and integrating these RADIUS servers with an external LDAP service requires considerable effort.

Network client authentication with Microsoft NPS and RADIUS
Figure 2. Microsoft NPS and RADIUS for a variety of network client access © Microsoft

In comparison, NPS natively supports validating authentication requests with the local user accounts database (Security Accounts Manager (SAM)) and Microsoft Active Directory domain services. When NPS is part of an AD domain, it is possible to implement a single sign-on process where the same AD credentials are used for network authentication. Such an integrated solution is more secure, easier to manage, and one less set of credentials for users to remember. That’s really cool if you ask me!

Why collect Microsoft NPS/RADIUS logs?

As we already discussed, NPS is all about user authentication and authorization. We all know that authentication logs are the cornerstone of IT security, so there is no doubt that NPS/RADIUS logs should be on our collect list. These logs help us detect and respond to brute-force attacks, irregular login requests outside office hours, suspicious logins accessing critical resources, and so on. In addition, real-time security and threat management, threat-hunting, and meeting compliance mandates all require us to establish authentication logs collection and management.

You could also use NPS logs to automate network tasks. For instance, let’s say you have a wireless endpoint integrated with NPS to authenticate users and are tasked with granting IP-based network access through several firewalls as soon as the user authenticates successfully. With automatic log analysis, you can trigger a job to enable access according to the assigned IP address in the logs.

According to Microsoft, NPS creates two types of essential logs:

  • Connection logs are used primarily for auditing and troubleshooting connection attempts.

  • User accounting logs are used for connection analysis and billing purposes. Logged to a file, they also aid in security investigations because they provide a method to track a compromised user’s activity after a malicious attack.

So, how do you collect all those logs and make sense of the data?

NXLog to the rescue

NPS supports RADIUS accounting logs, such as user authentication and accounting requests, in three formats:

IAS

A legacy format that writes logs in a file.

ODBC

Writes logs (ODBC-compliant) in CSV format to a file.

DTS Compliant

Writes logs in XML format to a file.

Microsoft NPS log file configuration
Figure 3. Microsoft NPS log file configuration

The IAS and DTS Compliant log formats are the most commonly used, and Microsoft recommends the latter. The newer DTS Compliant XML format consists of complex records like the following:

<Event>
  <Timestamp data_type="4">12/22/2023 15:06:56.609</Timestamp>
  <Computer-Name data_type="1">NAP-IAS2</Computer-Name>
  <Event-Source data_type="1">IAS</Event-Source>
  <Acct-Session-Id data_type="2">B3BA359F48CEDE4E9F78E5B3158F3B877E744D735B83CA01</Acct-Session-Id>
  <Class data_type="1">311 1 2001:4898:b0:3007:492e:957a:d44d:7093 12/16/2009 04:32:04 145361</Class>
  <MS-Extended-Quarantine-State data_type="0">0</MS-Extended-Quarantine-State>
  <MS-Quarantine-State data_type="0">0</MS-Quarantine-State>
  <Client-IPv6-Address data_type="5">2001:4898:b0:3007:6cc0:9514:d2ff:cdcf</Client-IPv6-Address>
  <Client-Vendor data_type="0">0</Client-Vendor>
  <Client-Friendly-Name data_type="1">NAP-HRA2</Client-Friendly-Name>
  <Proxy-Policy-Name data_type="1">HRA</Proxy-Policy-Name>
  <Provider-Type data_type="0">1</Provider-Type>
  <Quarantine-Session-Id data_type="1">{9F35BAB3-CE48-4EDE-9F78-E5B3158F3B87} - 2009-12-22 23:06:53.319Z</Quarantine-Session-Id>
  <Machine-Inventory data_type="1">6.1.7600 0.0 x86 Workstation</Machine-Inventory>
  <Fully-Qualified-Machine-Name data_type="1">CONTOSO\CLIENT1</Fully-Qualified-Machine-Name>
  <Authentication-Type data_type="0">7</Authentication-Type>
  <System-Health-Result data_type="1">Windows Security Health Validator:Compliant:No Data:None[]:(0x0 - ):(0x0 - ):(0x0 - ):(0x0 - ):(0x0 - ):(0x0 - ):(0x0 - ):(0x0 - )</System-Health-Result>
  <System-Health-ResultEx data_type="1">
  <SHV-Name data_type="1">Windows Security Health Validator</SHV-Name>
  <Config-ID data_type="0">0</Config-ID>
  <Config-Friendly-Name data_type="1"></Config-Friendly-Name>
  <Health-Result data_type="1">Compliant</Health-Result>
  <Extended-Isolation-State data_type="1">No Data</Extended-Isolation-State>
  <Failure-Category data_type="1">None</Failure-Category>
  <Failure-Category-String data_type="1"></Failure-Category-String>
  <Compliance-Results data_type="1"></Compliance-Results>
  </System-Health-ResultEx>
  <NP-Policy-Name data_type="1">ias2-HRA-NAPSTIR-Red-Compliant</NP-Policy-Name>
  <Quarantine-Update-Non-Compliant data_type="0">0</Quarantine-Update-Non-Compliant>
  <Framed-Protocol data_type="0">1</Framed-Protocol>
  <Service-Type data_type="0">2</Service-Type>
  <Packet-Type data_type="0">2</Packet-Type>
  <Reason-Code data_type="0">0</Reason-Code>
</Event>

Multiline logs like the one above are relatively complex to parse with many of the log collectors on the market.

In contrast, NXLog Enterprise Edition version 6.3 and newer support collecting and parsing all three log formats with the dedicated xm_nps extension. It allows you to collect NPS logs out of the box and convert them to another log format, such as JSON:

{
  "Event.Timestamp.data_type": "4",
  "Event.Timestamp": "12/22/2023 15:06:56.609",
  "Event.Computer-Name.data_type": "1",
  "Event.Computer-Name": "NAP-IAS2",
  "Event.Event-Source.data_type": "1",
  "Event.Event-Source": "IAS",
  "Event.Acct-Session-Id.data_type": "2",
  "Event.Acct-Session-Id": "B3BA359F48CEDE4E9F78E5B3158F3B877E744D735B83CA01",
  "Event.Class.data_type": "1",
  // ...
  "Event.Packet-Type.data_type": "0",
  "Event.Packet-Type": "2",
  "Event.Reason-Code.data_type": "0",
  "Event.Reason-Code": "0"
}

With NXLog Enterprise Edition, routing your NPS logs to a SIEM or long-term storage like Amazon S3 buckets, meeting compliance, and triggering automated network configuration and management tasks based on log data is easy. Give it a try, and get in touch with us if you need help building a solution for your use case!

NXLog Platform is an on-premises solution for centralized log management with
versatile processing forming the backbone of security monitoring.

With our industry-leading expertise in log collection and agent management, we comprehensively
address your security log-related tasks, including collection, parsing, processing, enrichment, storage, management, and analytics.

Start free Contact us
  • security
  • microsoft nps
  • radius
Share

Facebook Twitter LinkedIn Reddit Mail
Related Posts

DNS Log Collection on Windows
8 minutes | May 28, 2020
Making the most of Windows Event Forwarding for centralized log collection
6 minutes | December 17, 2018
The benefits of log aggregation
8 minutes | August 1, 2022

Stay connected:

Sign up

Keep up to date with our monthly digest of articles.

By clicking singing up, I agree to the use of my personal data in accordance with NXLog Privacy Policy.

Featured posts

Announcing NXLog Platform 1.6
April 22, 2025
Announcing NXLog Platform 1.5
February 27, 2025
Announcing NXLog Platform 1.4
December 20, 2024
NXLog redefines log management for the digital age
December 19, 2024
2024 and NXLog - a review
December 19, 2024
Announcing NXLog Platform 1.3
October 25, 2024
NXLog redefines the market with the launch of NXLog Platform: a new centralized log management solution
September 24, 2024
Welcome to the future of log management with NXLog Platform
August 28, 2024
Announcing NXLog Enterprise Edition 5.11
June 20, 2024
Raijin announces release of version 2.1
May 31, 2024
Ingesting log data from Debian UFW to Loki and Grafana
May 21, 2024
Announcing NXLog Enterprise Edition 6.3
May 13, 2024
Raijin announces release of version 2.0
March 14, 2024
NXLog Enterprise Edition on Submarines
March 11, 2024
The evolution of event logging: from clay tablets to Taylor Swift
February 6, 2024
Migrate to NXLog Enterprise Edition 6 for our best ever log collection experience
February 2, 2024
Raijin announces release of version 1.5
January 26, 2024
2023 and NXLog - a review
December 22, 2023
Announcing NXLog Enterprise Edition 5.10
December 21, 2023
Raijin announces release of version 1.4
December 12, 2023
Announcing NXLog Enterprise Edition 6.2
December 4, 2023
Announcing NXLog Manager 5.7
November 3, 2023
Announcing NXLog Enterprise Edition 6.1
October 20, 2023
Raijin announces release of version 1.3
October 6, 2023
Upgrading from NXLog Enterprise Edition 5 to NXLog Enterprise Edition 6
September 11, 2023
Announcing NXLog Enterprise Edition 6.0
September 11, 2023
The cybersecurity challenges of modern aviation systems
September 8, 2023
Raijin announces release of version 1.2
August 11, 2023
The Sarbanes-Oxley (SOX) Act and security observability
August 9, 2023
Log Management and PCI DSS 4.0 compliance
August 2, 2023
Detect threats using NXLog and Sigma
July 27, 2023
HIPAA compliance logging requirements
July 19, 2023
Announcing NXLog Enterprise Edition 5.9
June 20, 2023
Industrial cybersecurity - The facts
June 8, 2023
Raijin announces release of version 1.1
May 30, 2023
CISO starter pack - Security Policy
May 2, 2023
Announcing NXLog Enterprise Edition 5.8
April 24, 2023
CISO starter pack - Log collection fundamentals
April 3, 2023
Raijin announces release of version 1.0
March 9, 2023
Avoid vendor lock-in and declare SIEM independence
February 13, 2023
Announcing NXLog Enterprise Edition 5.7
January 20, 2023
NXLog - 2022 in review
December 22, 2022
Need to replace syslog-ng? Changing to NXLog is easier than you think
November 23, 2022
The EU's response to cyberwarfare
November 22, 2022
Looking beyond Cybersecurity Awareness Month
November 8, 2022
GDPR compliance and log data
September 23, 2022
NXLog in an industrial control security context
August 10, 2022
Raijin vs Elasticsearch
August 9, 2022
NXLog provides native support for Google Chronicle
May 11, 2022
Aggregating macOS logs for SIEM systems
February 17, 2022
How a centralized log collection tool can help your SIEM solutions
April 1, 2020

Categories

  • SIEM
  • STRATEGY
  • SECURITY
  • ANNOUNCEMENT
  • DEPLOYMENT
  • COMPLIANCE
  • COMPARISON
logo

Subscribe to our newsletter to get the latest updates, news, and products releases. 

© Copyright 2024 NXLog FZE.

Privacy Policy. General Terms of Use

Follow us

  • Product
  • NXLog Platform 
  • Log collection
  • Log management and analysis
  • Log storage
  • Integration
  • Professional Services
  • Plans
  • Resources
  • Documentation
  • Blog
  • White papers
  • Videos
  • Webinars
  • Case studies
  • Community Program
  • Community forum
  • Support
  • Getting started guide
  • Support portals
  • About NXLog
  • About us
  • Careers
  • Find a reseller
  • Partner program
  • Contact us