Microsoft Network Policy Server (xm_nps)
This module provides functions and procedures for processing data in the Network Policy Server (NPS) format. NPS is Microsoft’s implementation of a RADIUS server and proxy and was formerly known as Internet Authentication Service (IAS). This module is capable of parsing IAS and ODBC-compliant log formats.
ODBC-compliant logs typically resemble the sample below.
"RasBox","RAS",10/22/2006,09:13:09,1,"DOMAIN\user","DOMAIN\user",,,,,,"192.168.132.45",12,,"192.168.132.45",,,,0,"CONNECT 24000",1,2,4,,0,"311 1 192.168.132.45 07/31/2006 21:35:14 749",,,,,,,,,,,,,,,,,,,,,,,,,,,,"MSRASV5.00",311,,,,
"RasBox","RAS",10/22/2006,09:13:09,3,,"DOMAIN\user",,,,,,,,,,,,,,,,,4,,36,"311 1 192.168.132.45 07/31/2006 21:35:14 749",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"0x00453D36393120523D3020563D33",,,
"RasBox","RAS",10/22/2006,09:13:13,1,"DOMAIN\user","DOMAIN\user",,,,,,"192.168.132.45",12,,"192.168.132.45",,,,0,"CONNECT 24000",1,2,4,,0,"311 1 192.168.132.45 07/31/2006 21:35:14 750",,,,,,,,,,,,,,,,,,,,,,,,,,,,"MSRASV5.00",311,,,,
For more information about the Microsoft NPS logs, see the Microsoft documentation on how to Interpret NPS Database Format Log Files.
Configuration
The xm_nps module accepts only the common module directives.
Procedures
The following procedures are exported by xm_nps.
parse_nps();
-
Parse the
$raw_event
field as NPS input.
parse_nps(string source);
-
Parse the given string as NPS format.
Creating and populating fields
The parse_nps() procedure parses NPS log records into structured data.
It expects the $raw_event
field or the string passed as a parameter to be in the ODBC-compliant or IAS format described above.
Once a log record is parsed with this procedure, fields are created based on the available data. These can be used for further processing or to convert the log record to a different output format. For an example of how to parse NPS log records and manipulate fields, see Parsing NPS logs in ODBC-compliant format below.
Input modules may create additional fields containing various information. When converting to a different format, such fields will be included in the output log record, which may consume additional memory and bandwidth. For efficient handling of log records, consult the Fields section in the documentation of input modules and test the configuration before deployment. To delete any unwanted fields, use the delete() procedure or the xm_rewrite extension. |
Examples
This configuration uses the im_file input module to read NPS logs in ODBC-compliant format from a file.
Log records are parsed into structured data using the parse_nps() procedure.
Processing is done to convert the $RecordDate
and $RecordTime
fields into a single $EventTime
field and delete fields that are not required.
Finally, log records are converted to JSON using the to_json() procedure of the xm_json module.
<Extension nps>
Module xm_nps
</Extension>
<Extension json>
Module xm_json
</Extension>
<Input filein>
Module im_file
File 'C:\logs\IN0921.log'
<Exec>
parse_nps();
# Match the $RecordDate field to a regular expression
if ($RecordDate =~ /(\d*)\/(\d*)\/(\d*)/)
{
# Convert the $RecordDate to yyyy-mm-dd format
$RecordDate = $3 + '-' + $1 + '-' + $2;
# Create $EventTime field
$EventTime = parsedate($RecordDate + ' ' + $RecordTime);
# Delete fields that are no longer needed
delete($RecordDate);
delete($RecordTime);
}
# Delete core fields that are not required
delete($SourceModuleName);
delete($SourceModuleType);
to_json();
</Exec>
</Input>
"RasBox","RAS",09/27/2021,19:02:09,1,"DOMAIN\user","DOMAIN\user",,,,,,"192.168.132.45",12,,"192.168.132.45",,,,0,"CONNECT 24000",1,2,4,,0,"311 1 192.168.132.45 09/27/2021 18:50:14 749",,,,,,,,,,,,,,,,,,,,,,,,,,,,"MSRASV5.00",311,,,,
{
"EventReceivedTime": "2021-09-27T19:02:12.959431+03:00",
"Hostname": "RasBox",
"ServiceName": "RAS",
"PacketType": "Access-Request",
"AccountName": "DOMAIN\\user",
"FullyQualifiedDistinguishedName": "DOMAIN\\user",
"NASIPAddress": "192.168.132.45",
"NASPort": 12,
"ClientIPAddress": "192.168.132.45",
"NASPortType": 0,
"ConnectInfo": "CONNECT 24000",
"FramedProtocol": 1,
"ServiceType": 2,
"AuthenticationType": "MS-CHAP v2",
"ReasonCode": "IAS_SUCCESS",
"Class": "311 1 192.168.132.45 09/27/2021 18:50:14 749",
"MSRASVersion": "MSRASV5.00",
"MSRASVendor": 311,
"EventTime": "2021-09-27T19:02:09.000000+03:00"
}