Microsoft Network Policy Server (xm_nps)
This module provides functions and procedures for processing data in the Network Policy Server (NPS) format.
NPS is Microsoft’s implementation of a RADIUS server and proxy and was formerly known as Internet Authentication Service (IAS).
This module is capable of parsing IAS and ODBC-compliant log formats (CSV). The module is also capable of parsing the new, so-called DTS Compliant file type which is XML-based. Parsing the new format is available through using the InpuType
directive. In that case, the module tries to recognize the log file’s internal format and then parses the data accordingly. Note: mixing different data formats within a single file is not supported.
To use the parser in an input module, the InputType directive must reference the instance name of the xm_nps module.
ODBC-compliant logs typically resemble the sample below.
"RasBox","RAS",10/22/2006,09:13:09,1,"DOMAIN\user","DOMAIN\user",,,,,,"192.168.132.45",12,,"192.168.132.45",,,,0,"CONNECT 24000",1,2,4,,0,"311 1 192.168.132.45 07/31/2006 21:35:14 749",,,,,,,,,,,,,,,,,,,,,,,,,,,,"MSRASV5.00",311,,,,
"RasBox","RAS",10/22/2006,09:13:09,3,,"DOMAIN\user",,,,,,,,,,,,,,,,,4,,36,"311 1 192.168.132.45 07/31/2006 21:35:14 749",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"0x00453D36393120523D3020563D33",,,
"RasBox","RAS",10/22/2006,09:13:13,1,"DOMAIN\user","DOMAIN\user",,,,,,"192.168.132.45",12,,"192.168.132.45",,,,0,"CONNECT 24000",1,2,4,,0,"311 1 192.168.132.45 07/31/2006 21:35:14 750",,,,,,,,,,,,,,,,,,,,,,,,,,,,"MSRASV5.00",311,,,,
<Event>
<Timestamp data_type="4">12/22/2009 15:06:56.609</Timestamp>
<Computer-Name data_type="1">NAP-IAS2</Computer-Name>
<Event-Source data_type="1">IAS</Event-Source>
<Acct-Session-Id data_type="2">B3BA359F48CEDE4E9F78E5B3158F3B877E744D735B83CA01</Acct-Session-Id>
<Class data_type="1">311 1 2001:4898:b0:3007:492e:957a:d44d:7093 12/16/2009 04:32:04 145361</Class>
<MS-Extended-Quarantine-State data_type="0">0</MS-Extended-Quarantine-State>
<MS-Quarantine-State data_type="0">0</MS-Quarantine-State>
<Client-IPv6-Address data_type="5">2001:4898:b0:3007:6cc0:9514:d2ff:cdcf</Client-IPv6-Address>
<Client-Vendor data_type="0">0</Client-Vendor>
<Client-Friendly-Name data_type="1">NAP-HRA2</Client-Friendly-Name>
<Proxy-Policy-Name data_type="1">HRA</Proxy-Policy-Name>
<Provider-Type data_type="0">1</Provider-Type>
<Quarantine-Session-Id data_type="1">{9F35BAB3-CE48-4EDE-9F78-E5B3158F3B87} - 2009-12-22 23:06:53.319Z</Quarantine-Session-Id>
<Machine-Inventory data_type="1">6.1.7600 0.0 x86 Workstation</Machine-Inventory>
<Fully-Qualified-Machine-Name data_type="1">CONTOSO\CLIENT1</Fully-Qualified-Machine-Name>
<Authentication-Type data_type="0">7</Authentication-Type>
<System-Health-Result data_type="1">Windows Security Health Validator:Compliant:No Data:None[]:(0x0 - ):(0x0 - ):(0x0 - ):(0x0 - ):(0x0 - ):(0x0 - ):(0x0 - ):(0x0 - )</System-Health-Result>
<System-Health-ResultEx data_type="1">
<SHV-Name data_type="1">Windows Security Health Validator</SHV-Name>
<Config-ID data_type="0">0</Config-ID>
<Config-Friendly-Name data_type="1"></Config-Friendly-Name>
<Health-Result data_type="1">Compliant</Health-Result>
<Extended-Isolation-State data_type="1">No Data</Extended-Isolation-State>
<Failure-Category data_type="1">None</Failure-Category>
<Failure-Category-String data_type="1"></Failure-Category-String>
<Compliance-Results data_type="1"></Compliance-Results>
</System-Health-ResultEx>
<NP-Policy-Name data_type="1">ias2-HRA-NAPSTIR-Red-Compliant</NP-Policy-Name>
<Quarantine-Update-Non-Compliant data_type="0">0</Quarantine-Update-Non-Compliant>
<Framed-Protocol data_type="0">1</Framed-Protocol>
<Service-Type data_type="0">2</Service-Type>
<Packet-Type data_type="0">2</Packet-Type>
<Reason-Code data_type="0">0</Reason-Code>
</Event>
For more information about Microsoft NPS logs, see the Microsoft documentation on how to Interpret NPS Database Format Log Files.
Configuration
The xm_nps module accepts only the common module directives.
Procedures
The following procedures are exported by xm_nps.
parse_nps();
-
Parse the
$raw_event
field as NPS input.
parse_nps(string source);
-
Parse the given string as NPS format.
Creating and populating fields
The parse_nps() procedure parses NPS log records into structured data.
It expects the $raw_event
field or the string passed as a parameter to be in the ODBC-compliant or IAS format described above.
Once a log record is parsed with this procedure, fields are created based on the available data. These can be used for further processing or to convert the log record to a different output format. For an example of how to parse NPS log records and manipulate fields, see Parsing NPS logs in ODBC-compliant format below.
Input modules may create additional fields containing various information. When converting to a different format, such fields will be included in the output log record, which may consume additional memory and bandwidth. For efficient handling of log records, consult the Fields section in the documentation of input modules and test the configuration before deployment. To delete any unwanted fields, use the delete() procedure or the xm_rewrite extension. |
Examples
This configuration uses the im_file input module to read NPS logs in ODBC-compliant format from a file.
Log records are parsed into structured data using the parse_nps() procedure.
Processing is done to convert the $RecordDate
and $RecordTime
fields into a single $EventTime
field and delete fields that are not required.
Finally, log records are converted to JSON using the to_json() procedure of the xm_json module.
<Extension nps>
Module xm_nps
</Extension>
<Extension json>
Module xm_json
</Extension>
<Input filein>
Module im_file
File 'C:\logs\IN0921.log'
<Exec>
parse_nps();
# Match the $RecordDate field to a regular expression
if ($RecordDate =~ /(\d*)\/(\d*)\/(\d*)/)
{
# Convert the $RecordDate to yyyy-mm-dd format
$RecordDate = $3 + '-' + $1 + '-' + $2;
# Create $EventTime field
$EventTime = parsedate($RecordDate + ' ' + $RecordTime);
# Delete fields that are no longer needed
delete($RecordDate);
delete($RecordTime);
}
# Delete core fields that are not required
delete($SourceModuleName);
delete($SourceModuleType);
to_json();
</Exec>
</Input>
"RasBox","RAS",09/27/2021,19:02:09,1,"DOMAIN\user","DOMAIN\user",,,,,,"192.168.132.45",12,,"192.168.132.45",,,,0,"CONNECT 24000",1,2,4,,0,"311 1 192.168.132.45 09/27/2021 18:50:14 749",,,,,,,,,,,,,,,,,,,,,,,,,,,,"MSRASV5.00",311,,,,
{
"EventReceivedTime": "2021-09-27T19:02:12.959431+03:00",
"Hostname": "RasBox",
"ServiceName": "RAS",
"PacketType": "Access-Request",
"AccountName": "DOMAIN\\user",
"FullyQualifiedDistinguishedName": "DOMAIN\\user",
"NASIPAddress": "192.168.132.45",
"NASPort": 12,
"ClientIPAddress": "192.168.132.45",
"NASPortType": 0,
"ConnectInfo": "CONNECT 24000",
"FramedProtocol": 1,
"ServiceType": 2,
"AuthenticationType": "MS-CHAP v2",
"ReasonCode": "IAS_SUCCESS",
"Class": "311 1 192.168.132.45 09/27/2021 18:50:14 749",
"MSRASVersion": "MSRASV5.00",
"MSRASVendor": 311,
"EventTime": "2021-09-27T19:02:09.000000+03:00"
}
This configuration uses the im_file input module to read NPS logs in DTS-compliant format from a file. Log records are parsed into structured data using the IputType directive. Finally, log records are converted to JSON using the to_json() procedure of the xm_json module.
Note that the XML tag names and structures are preserved as event fields. The XML parsing works in the same way as using the parse_xml() procedure of the xm_xml module.
<Extension nps>
Module xm_nps
</Extension>
<Extension json>
Module xm_json
PrettyPrint TRUE
</Extension>
<Input filein>
Module im_file
File 'C:\logs\nps-dts.log'
InputType nps
<Exec>
# Delete core fields that are not required
delete($EventReceivedTime);
delete($SourceModuleName);
delete($SourceModuleType);
delete($Hostname);
# make fields to json
to_json();
</Exec>
</Input>
<Event>
<Timestamp data_type="4">12/22/2009 15:06:56.609</Timestamp>
<Computer-Name data_type="1">NAP-IAS2</Computer-Name>
<Event-Source data_type="1">IAS</Event-Source>
<Acct-Session-Id data_type="2">B3BA359F48CEDE4E9F78E5B3158F3B877E744D735B83CA01</Acct-Session-Id>
<Class data_type="1">311 1 2001:4898:b0:3007:492e:957a:d44d:7093 12/16/2009 04:32:04 145361</Class>
<MS-Extended-Quarantine-State data_type="0">0</MS-Extended-Quarantine-State>
<MS-Quarantine-State data_type="0">0</MS-Quarantine-State>
<Client-IPv6-Address data_type="5">2001:4898:b0:3007:6cc0:9514:d2ff:cdcf</Client-IPv6-Address>
<Client-Vendor data_type="0">0</Client-Vendor>
<Client-Friendly-Name data_type="1">NAP-HRA2</Client-Friendly-Name>
<Proxy-Policy-Name data_type="1">HRA</Proxy-Policy-Name>
<Provider-Type data_type="0">1</Provider-Type>
<Quarantine-Session-Id data_type="1">{9F35BAB3-CE48-4EDE-9F78-E5B3158F3B87} - 2009-12-22 23:06:53.319Z</Quarantine-Session-Id>
<Machine-Inventory data_type="1">6.1.7600 0.0 x86 Workstation</Machine-Inventory>
<Fully-Qualified-Machine-Name data_type="1">CONTOSO\CLIENT1</Fully-Qualified-Machine-Name>
<Authentication-Type data_type="0">7</Authentication-Type>
<System-Health-Result data_type="1">Windows Security Health Validator:Compliant:No Data:None[]:(0x0 - ):(0x0 - ):(0x0 - ):(0x0 - ):(0x0 - ):(0x0 - ):(0x0 - ):(0x0 - )</System-Health-Result>
<System-Health-ResultEx data_type="1">
<SHV-Name data_type="1">Windows Security Health Validator</SHV-Name>
<Config-ID data_type="0">0</Config-ID>
<Config-Friendly-Name data_type="1"></Config-Friendly-Name>
<Health-Result data_type="1">Compliant</Health-Result>
<Extended-Isolation-State data_type="1">No Data</Extended-Isolation-State>
<Failure-Category data_type="1">None</Failure-Category>
<Failure-Category-String data_type="1"></Failure-Category-String>
<Compliance-Results data_type="1"></Compliance-Results>
</System-Health-ResultEx>
<NP-Policy-Name data_type="1">ias2-HRA-NAPSTIR-Red-Compliant</NP-Policy-Name>
<Quarantine-Update-Non-Compliant data_type="0">0</Quarantine-Update-Non-Compliant>
<Framed-Protocol data_type="0">1</Framed-Protocol>
<Service-Type data_type="0">2</Service-Type>
<Packet-Type data_type="0">2</Packet-Type>
<Reason-Code data_type="0">0</Reason-Code>
</Event>
{
"Event.Timestamp.data_type": "4",
"Event.Timestamp": "12/22/2009 15:06:56.609",
"Event.Computer-Name.data_type": "1",
"Event.Computer-Name": "NAP-IAS2",
"Event.Event-Source.data_type": "1",
"Event.Event-Source": "IAS",
"Event.Acct-Session-Id.data_type": "2",
"Event.Acct-Session-Id": "B3BA359F48CEDE4E9F78E5B3158F3B877E744D735B83CA01",
"Event.Class.data_type": "1",
"Event.Class": "311 1 2001:4898:b0:3007:492e:957a:d44d:7093 12/16/2009 04:32:04 145361",
"Event.MS-Extended-Quarantine-State.data_type": "0",
"Event.MS-Extended-Quarantine-State": "0",
"Event.MS-Quarantine-State.data_type": "0",
"Event.MS-Quarantine-State": "0",
"Event.Client-IPv6-Address.data_type": "5",
"Event.Client-IPv6-Address": "2001:4898:b0:3007:6cc0:9514:d2ff:cdcf",
"Event.Client-Vendor.data_type": "0",
"Event.Client-Vendor": "0",
"Event.Client-Friendly-Name.data_type": "1",
"Event.Client-Friendly-Name": "NAP-HRA2",
"Event.Proxy-Policy-Name.data_type": "1",
"Event.Proxy-Policy-Name": "HRA",
"Event.Provider-Type.data_type": "0",
"Event.Provider-Type": "1",
"Event.Quarantine-Session-Id.data_type": "1",
"Event.Quarantine-Session-Id": "{9F35BAB3-CE48-4EDE-9F78-E5B3158F3B87} - 2009-12-22 23:06:53.319Z",
"Event.Machine-Inventory.data_type": "1",
"Event.Machine-Inventory": "6.1.7600 0.0 x86 Workstation",
"Event.Fully-Qualified-Machine-Name.data_type": "1",
"Event.Fully-Qualified-Machine-Name": "CONTOSO\\CLIENT1",
"Event.Authentication-Type.data_type": "0",
"Event.Authentication-Type": "7",
"Event.System-Health-Result.data_type": "1",
"Event.System-Health-Result": "Windows Security Health Validator:Compliant:No Data:None[]:(0x0 - ):(0x0 - ):(0x0 - ):(0x0 - ):(0x0 - ):(0x0 - ):(0x0 - ):(0x0 - )",
"Event.System-Health-ResultEx.data_type": "1",
"Event.System-Health-ResultEx.SHV-Name.data_type": "1",
"Event.System-Health-ResultEx.SHV-Name": "Windows Security Health Validator",
"Event.System-Health-ResultEx.Config-ID.data_type": "0",
"Event.System-Health-ResultEx.Config-ID": "0",
"Event.System-Health-ResultEx.Config-Friendly-Name.data_type": "1",
"Event.System-Health-ResultEx.Health-Result.data_type": "1",
"Event.System-Health-ResultEx.Health-Result": "Compliant",
"Event.System-Health-ResultEx.Extended-Isolation-State.data_type": "1",
"Event.System-Health-ResultEx.Extended-Isolation-State": "No Data",
"Event.System-Health-ResultEx.Failure-Category.data_type": "1",
"Event.System-Health-ResultEx.Failure-Category": "None",
"Event.System-Health-ResultEx.Failure-Category-String.data_type": "1",
"Event.System-Health-ResultEx.Compliance-Results.data_type": "1",
"Event.NP-Policy-Name.data_type": "1",
"Event.NP-Policy-Name": "ias2-HRA-NAPSTIR-Red-Compliant",
"Event.Quarantine-Update-Non-Compliant.data_type": "0",
"Event.Quarantine-Update-Non-Compliant": "0",
"Event.Framed-Protocol.data_type": "0",
"Event.Framed-Protocol": "1",
"Event.Service-Type.data_type": "0",
"Event.Service-Type": "2",
"Event.Packet-Type.data_type": "0",
"Event.Packet-Type": "2",
"Event.Reason-Code.data_type": "0",
"Event.Reason-Code": "0",
}