Microsoft Network Policy Server (xm_nps)

This module provides functions and procedures for processing data in the Network Policy Server (NPS) format. NPS is Microsoft’s implementation of a RADIUS server and proxy and was formerly known as Internet Authentication Service (IAS). This module is capable of parsing IAS and ODBC-compliant log formats.

ODBC-compliant logs typically resemble the sample below.

ODBC-compliant formatted data
"RasBox","RAS",10/22/2006,09:13:09,1,"DOMAIN\user","DOMAIN\user",,,,,,"192.168.132.45",12,,"192.168.132.45",,,,0,"CONNECT 24000",1,2,4,,0,"311 1 192.168.132.45 07/31/2006 21:35:14 749",,,,,,,,,,,,,,,,,,,,,,,,,,,,"MSRASV5.00",311,,,,
"RasBox","RAS",10/22/2006,09:13:09,3,,"DOMAIN\user",,,,,,,,,,,,,,,,,4,,36,"311 1 192.168.132.45 07/31/2006 21:35:14 749",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"0x00453D36393120523D3020563D33",,,
"RasBox","RAS",10/22/2006,09:13:13,1,"DOMAIN\user","DOMAIN\user",,,,,,"192.168.132.45",12,,"192.168.132.45",,,,0,"CONNECT 24000",1,2,4,,0,"311 1 192.168.132.45 07/31/2006 21:35:14 750",,,,,,,,,,,,,,,,,,,,,,,,,,,,"MSRASV5.00",311,,,,

For more information about the Microsoft NPS logs, see the Microsoft documentation on how to Interpret NPS Database Format Log Files.

Configuration

The xm_nps module accepts only the common module directives.

Procedures

The following procedures are exported by xm_nps.

parse_nps();

Parse the $raw_event field as NPS input.

parse_nps(string source);

Parse the given string as NPS format.

Creating and populating fields

The parse_nps() procedure parses NPS log records into structured data. It expects the $raw_event field or the string passed as a parameter to be in the ODBC-compliant or IAS format described above.

Once a log record is parsed with this procedure, fields are created based on the available data. These can be used for further processing or to convert the log record to a different output format. For an example of how to parse NPS log records and manipulate fields, see Parsing NPS logs in ODBC-compliant format below.

Input modules may create additional fields containing various information. When converting to a different format, such fields will be included in the output log record, which may consume additional memory and bandwidth. For efficient handling of log records, consult the Fields section in the documentation of input modules and test the configuration before deployment. To delete any unwanted fields, use the delete() procedure or the xm_rewrite extension.

Examples

Example 1. Parsing NPS logs in ODBC-compliant format

This configuration uses the im_file input module to read NPS logs in ODBC-compliant format from a file. Log records are parsed into structured data using the parse_nps() procedure. Processing is done to convert the $RecordDate and $RecordTime fields into a single $EventTime field and delete fields that are not required. Finally, log records are converted to JSON using the to_json() procedure of the xm_json module.

nxlog.conf
<Extension nps>
    Module    xm_nps
</Extension>

<Extension json>
    Module    xm_json
</Extension>

<Input filein>
    Module    im_file
    File      'C:\logs\IN0921.log'
    <Exec>
        parse_nps();

        # Match the $RecordDate field to a regular expression
        if ($RecordDate =~ /(\d*)\/(\d*)\/(\d*)/)
        {
            # Convert the $RecordDate to yyyy-mm-dd format
            $RecordDate = $3 + '-' + $1 + '-' + $2;

            # Create $EventTime field
            $EventTime = parsedate($RecordDate + ' ' + $RecordTime);

            # Delete fields that are no longer needed
            delete($RecordDate);
            delete($RecordTime);
        }

        # Delete core fields that are not required
        delete($SourceModuleName);
        delete($SourceModuleType);

        to_json();
    </Exec>
</Input>
Input Sample
"RasBox","RAS",09/27/2021,19:02:09,1,"DOMAIN\user","DOMAIN\user",,,,,,"192.168.132.45",12,,"192.168.132.45",,,,0,"CONNECT 24000",1,2,4,,0,"311 1 192.168.132.45 09/27/2021 18:50:14 749",,,,,,,,,,,,,,,,,,,,,,,,,,,,"MSRASV5.00",311,,,,
Output sample in JSON format
{
  "EventReceivedTime": "2021-09-27T19:02:12.959431+03:00",
  "Hostname": "RasBox",
  "ServiceName": "RAS",
  "PacketType": "Access-Request",
  "AccountName": "DOMAIN\\user",
  "FullyQualifiedDistinguishedName": "DOMAIN\\user",
  "NASIPAddress": "192.168.132.45",
  "NASPort": 12,
  "ClientIPAddress": "192.168.132.45",
  "NASPortType": 0,
  "ConnectInfo": "CONNECT 24000",
  "FramedProtocol": 1,
  "ServiceType": 2,
  "AuthenticationType": "MS-CHAP v2",
  "ReasonCode": "IAS_SUCCESS",
  "Class": "311 1 192.168.132.45 09/27/2021 18:50:14 749",
  "MSRASVersion": "MSRASV5.00",
  "MSRASVendor": 311,
  "EventTime": "2021-09-27T19:02:09.000000+03:00"
}