NXLog Documentation

You are viewing the documentation of our legacy products. Go to the NXLog Platform Documentation.

Microsoft Network Policy Server (xm_nps)

This module provides functions and procedures for processing data in the Network Policy Server (NPS) format. NPS is Microsoft’s implementation of a RADIUS server and proxy and was formerly known as Internet Authentication Service (IAS). This module is capable of parsing IAS and ODBC-compliant log formats (CSV). The module is also capable of parsing the new, so-called DTS Compliant file type which is XML-based. Parsing the new format is available through using the InpuType directive. In that case, the module tries to recognize the log file’s internal format and then parses the data accordingly. Note: mixing different data formats within a single file is not supported.

To use the parser in an input module, the InputType directive must reference the instance name of the xm_nps module.

To examine the supported platforms, see the list of installer packages in the Available Modules chapter.

ODBC-compliant logs typically resemble the sample below.

ODBC-compliant formatted data
"RasBox","RAS",10/22/2006,09:13:09,1,"DOMAIN\user","DOMAIN\user",,,,,,"192.168.132.45",12,,"192.168.132.45",,,,0,"CONNECT 24000",1,2,4,,0,"311 1 192.168.132.45 07/31/2006 21:35:14 749",,,,,,,,,,,,,,,,,,,,,,,,,,,,"MSRASV5.00",311,,,,
"RasBox","RAS",10/22/2006,09:13:09,3,,"DOMAIN\user",,,,,,,,,,,,,,,,,4,,36,"311 1 192.168.132.45 07/31/2006 21:35:14 749",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"0x00453D36393120523D3020563D33",,,
"RasBox","RAS",10/22/2006,09:13:13,1,"DOMAIN\user","DOMAIN\user",,,,,,"192.168.132.45",12,,"192.168.132.45",,,,0,"CONNECT 24000",1,2,4,,0,"311 1 192.168.132.45 07/31/2006 21:35:14 750",,,,,,,,,,,,,,,,,,,,,,,,,,,,"MSRASV5.00",311,,,,
DTS-compliant formatted data
<Event>
                <Timestamp data_type="4">12/22/2009 15:06:56.609</Timestamp>
                <Computer-Name data_type="1">NAP-IAS2</Computer-Name>
                <Event-Source data_type="1">IAS</Event-Source>
                <Acct-Session-Id data_type="2">B3BA359F48CEDE4E9F78E5B3158F3B877E744D735B83CA01</Acct-Session-Id>
                <Class data_type="1">311 1 2001:4898:b0:3007:492e:957a:d44d:7093 12/16/2009 04:32:04 145361</Class>
                <MS-Extended-Quarantine-State data_type="0">0</MS-Extended-Quarantine-State>
                <MS-Quarantine-State data_type="0">0</MS-Quarantine-State>
                <Client-IPv6-Address data_type="5">2001:4898:b0:3007:6cc0:9514:d2ff:cdcf</Client-IPv6-Address>
                <Client-Vendor data_type="0">0</Client-Vendor>
                <Client-Friendly-Name data_type="1">NAP-HRA2</Client-Friendly-Name>
                <Proxy-Policy-Name data_type="1">HRA</Proxy-Policy-Name>
                <Provider-Type data_type="0">1</Provider-Type>
                <Quarantine-Session-Id data_type="1">{9F35BAB3-CE48-4EDE-9F78-E5B3158F3B87} - 2009-12-22 23:06:53.319Z</Quarantine-Session-Id>
                <Machine-Inventory data_type="1">6.1.7600 0.0 x86 Workstation</Machine-Inventory>
                <Fully-Qualified-Machine-Name data_type="1">CONTOSO\CLIENT1</Fully-Qualified-Machine-Name>
                <Authentication-Type data_type="0">7</Authentication-Type>
                <System-Health-Result data_type="1">Windows Security Health Validator:Compliant:No Data:None[]:(0x0 - ):(0x0 - ):(0x0 - ):(0x0 - ):(0x0 - ):(0x0 - ):(0x0 - ):(0x0 - )</System-Health-Result>
                <System-Health-ResultEx data_type="1">
                                <SHV-Name data_type="1">Windows Security Health Validator</SHV-Name>
                                <Config-ID data_type="0">0</Config-ID>
                                <Config-Friendly-Name data_type="1"></Config-Friendly-Name>
                                <Health-Result data_type="1">Compliant</Health-Result>
                                <Extended-Isolation-State data_type="1">No Data</Extended-Isolation-State>
                                <Failure-Category data_type="1">None</Failure-Category>
                                <Failure-Category-String data_type="1"></Failure-Category-String>
                                <Compliance-Results data_type="1"></Compliance-Results>
                </System-Health-ResultEx>
                <NP-Policy-Name data_type="1">ias2-HRA-NAPSTIR-Red-Compliant</NP-Policy-Name>
                <Quarantine-Update-Non-Compliant data_type="0">0</Quarantine-Update-Non-Compliant>
                <Framed-Protocol data_type="0">1</Framed-Protocol>
                <Service-Type data_type="0">2</Service-Type>
                <Packet-Type data_type="0">2</Packet-Type>
                <Reason-Code data_type="0">0</Reason-Code>
</Event>

For more information about Microsoft NPS logs, see the Microsoft documentation on how to Interpret NPS Database Format Log Files.

Configuration

The xm_nps module accepts only the common module directives.

Procedures

The following procedures are exported by xm_nps.

parse_nps();

Parse the $raw_event field as NPS input.

parse_nps(string source);

Parse the given string as NPS format.

Creating and populating fields

The parse_nps() procedure parses NPS log records into structured data. It expects the $raw_event field or the string passed as a parameter to be in the ODBC-compliant or IAS format described above.

Once a log record is parsed with this procedure, fields are created based on the available data. These can be used for further processing or to convert the log record to a different output format. For an example of how to parse NPS log records and manipulate fields, see Parsing NPS logs in ODBC-compliant format below.

Input modules may create additional fields containing various information. When converting to a different format, such fields will be included in the output log record, which may consume additional memory and bandwidth. For efficient handling of log records, consult the Fields section in the documentation of input modules and test the configuration before deployment. To delete any unwanted fields, use the delete() procedure or the xm_rewrite extension.

Examples

Example 1. Parsing NPS logs in ODBC-compliant format

This configuration uses the im_file input module to read NPS logs in ODBC-compliant format from a file. Log records are parsed into structured data using the parse_nps() procedure. Processing is done to convert the $RecordDate and $RecordTime fields into a single $EventTime field and delete fields that are not required. Finally, log records are converted to JSON using the to_json() procedure of the xm_json module.

nxlog.conf
<Extension nps>
    Module    xm_nps
</Extension>

<Extension json>
    Module    xm_json
</Extension>

<Input filein>
    Module    im_file
    File      'C:\logs\IN0921.log'
    <Exec>
        parse_nps();

        # Match the $RecordDate field to a regular expression
        if ($RecordDate =~ /(\d*)\/(\d*)\/(\d*)/)
        {
            # Convert the $RecordDate to yyyy-mm-dd format
            $RecordDate = $3 + '-' + $1 + '-' + $2;

            # Create $EventTime field
            $EventTime = parsedate($RecordDate + ' ' + $RecordTime);

            # Delete fields that are no longer needed
            delete($RecordDate);
            delete($RecordTime);
        }

        # Delete core fields that are not required
        delete($SourceModuleName);
        delete($SourceModuleType);

        to_json();
    </Exec>
</Input>
Input Sample
"RasBox","RAS",09/27/2021,19:02:09,1,"DOMAIN\user","DOMAIN\user",,,,,,"192.168.132.45",12,,"192.168.132.45",,,,0,"CONNECT 24000",1,2,4,,0,"311 1 192.168.132.45 09/27/2021 18:50:14 749",,,,,,,,,,,,,,,,,,,,,,,,,,,,"MSRASV5.00",311,,,,
Output sample in JSON format
{
  "EventReceivedTime": "2021-09-27T19:02:12.959431+03:00",
  "Hostname": "RasBox",
  "ServiceName": "RAS",
  "PacketType": "Access-Request",
  "AccountName": "DOMAIN\\user",
  "FullyQualifiedDistinguishedName": "DOMAIN\\user",
  "NASIPAddress": "192.168.132.45",
  "NASPort": 12,
  "ClientIPAddress": "192.168.132.45",
  "NASPortType": 0,
  "ConnectInfo": "CONNECT 24000",
  "FramedProtocol": 1,
  "ServiceType": 2,
  "AuthenticationType": "MS-CHAP v2",
  "ReasonCode": "IAS_SUCCESS",
  "Class": "311 1 192.168.132.45 09/27/2021 18:50:14 749",
  "MSRASVersion": "MSRASV5.00",
  "MSRASVendor": 311,
  "EventTime": "2021-09-27T19:02:09.000000+03:00"
}
Example 2. Parsing NPS logs in DTS-compliant format

This configuration uses the im_file input module to read NPS logs in DTS-compliant format from a file. Log records are parsed into structured data using the IputType method.

Finally, log records are converted to JSON using the to_json() procedure of the xm_json module.

Note that the XML tag names and structures are preserved as event record names. The XML parsing is done as if it was done with xm_xml module’s parse_xml() procedure.

nxlog.conf
<Extension nps>
    Module    xm_nps
</Extension>

<Extension json>
    Module      xm_json
    PrettyPrint TRUE
</Extension>

<Input filein>
    Module    im_file
    File      'C:\logs\nps-dts.log'
    InputType nps

    <Exec>
        # Delete core fields that are not required
        delete($EventReceivedTime);
        delete($SourceModuleName);
        delete($SourceModuleType);
        delete($Hostname);

        # make fields to json
        to_json();
    </Exec>
</Input>
Input Sample
<Event>
                <Timestamp data_type="4">12/22/2009 15:06:56.609</Timestamp>
                <Computer-Name data_type="1">NAP-IAS2</Computer-Name>
                <Event-Source data_type="1">IAS</Event-Source>
                <Acct-Session-Id data_type="2">B3BA359F48CEDE4E9F78E5B3158F3B877E744D735B83CA01</Acct-Session-Id>
                <Class data_type="1">311 1 2001:4898:b0:3007:492e:957a:d44d:7093 12/16/2009 04:32:04 145361</Class>
                <MS-Extended-Quarantine-State data_type="0">0</MS-Extended-Quarantine-State>
                <MS-Quarantine-State data_type="0">0</MS-Quarantine-State>
                <Client-IPv6-Address data_type="5">2001:4898:b0:3007:6cc0:9514:d2ff:cdcf</Client-IPv6-Address>
                <Client-Vendor data_type="0">0</Client-Vendor>
                <Client-Friendly-Name data_type="1">NAP-HRA2</Client-Friendly-Name>
                <Proxy-Policy-Name data_type="1">HRA</Proxy-Policy-Name>
                <Provider-Type data_type="0">1</Provider-Type>
                <Quarantine-Session-Id data_type="1">{9F35BAB3-CE48-4EDE-9F78-E5B3158F3B87} - 2009-12-22 23:06:53.319Z</Quarantine-Session-Id>
                <Machine-Inventory data_type="1">6.1.7600 0.0 x86 Workstation</Machine-Inventory>
                <Fully-Qualified-Machine-Name data_type="1">CONTOSO\CLIENT1</Fully-Qualified-Machine-Name>
                <Authentication-Type data_type="0">7</Authentication-Type>
                <System-Health-Result data_type="1">Windows Security Health Validator:Compliant:No Data:None[]:(0x0 - ):(0x0 - ):(0x0 - ):(0x0 - ):(0x0 - ):(0x0 - ):(0x0 - ):(0x0 - )</System-Health-Result>
                <System-Health-ResultEx data_type="1">
                                <SHV-Name data_type="1">Windows Security Health Validator</SHV-Name>
                                <Config-ID data_type="0">0</Config-ID>
                                <Config-Friendly-Name data_type="1"></Config-Friendly-Name>
                                <Health-Result data_type="1">Compliant</Health-Result>
                                <Extended-Isolation-State data_type="1">No Data</Extended-Isolation-State>
                                <Failure-Category data_type="1">None</Failure-Category>
                                <Failure-Category-String data_type="1"></Failure-Category-String>
                                <Compliance-Results data_type="1"></Compliance-Results>
                </System-Health-ResultEx>
                <NP-Policy-Name data_type="1">ias2-HRA-NAPSTIR-Red-Compliant</NP-Policy-Name>
                <Quarantine-Update-Non-Compliant data_type="0">0</Quarantine-Update-Non-Compliant>
                <Framed-Protocol data_type="0">1</Framed-Protocol>
                <Service-Type data_type="0">2</Service-Type>
                <Packet-Type data_type="0">2</Packet-Type>
                <Reason-Code data_type="0">0</Reason-Code>
</Event>
Output sample in JSON format
{
    "Event.Timestamp.data_type": "4",
    "Event.Timestamp": "12/22/2009 15:06:56.609",
    "Event.Computer-Name.data_type": "1",
    "Event.Computer-Name": "NAP-IAS2",
    "Event.Event-Source.data_type": "1",
    "Event.Event-Source": "IAS",
    "Event.Acct-Session-Id.data_type": "2",
    "Event.Acct-Session-Id": "B3BA359F48CEDE4E9F78E5B3158F3B877E744D735B83CA01",
    "Event.Class.data_type": "1",
    "Event.Class": "311 1 2001:4898:b0:3007:492e:957a:d44d:7093 12/16/2009 04:32:04 145361",
    "Event.MS-Extended-Quarantine-State.data_type": "0",
    "Event.MS-Extended-Quarantine-State": "0",
    "Event.MS-Quarantine-State.data_type": "0",
    "Event.MS-Quarantine-State": "0",
    "Event.Client-IPv6-Address.data_type": "5",
    "Event.Client-IPv6-Address": "2001:4898:b0:3007:6cc0:9514:d2ff:cdcf",
    "Event.Client-Vendor.data_type": "0",
    "Event.Client-Vendor": "0",
    "Event.Client-Friendly-Name.data_type": "1",
    "Event.Client-Friendly-Name": "NAP-HRA2",
    "Event.Proxy-Policy-Name.data_type": "1",
    "Event.Proxy-Policy-Name": "HRA",
    "Event.Provider-Type.data_type": "0",
    "Event.Provider-Type": "1",
    "Event.Quarantine-Session-Id.data_type": "1",
    "Event.Quarantine-Session-Id": "{9F35BAB3-CE48-4EDE-9F78-E5B3158F3B87} - 2009-12-22 23:06:53.319Z",
    "Event.Machine-Inventory.data_type": "1",
    "Event.Machine-Inventory": "6.1.7600 0.0 x86 Workstation",
    "Event.Fully-Qualified-Machine-Name.data_type": "1",
    "Event.Fully-Qualified-Machine-Name": "CONTOSO\\CLIENT1",
    "Event.Authentication-Type.data_type": "0",
    "Event.Authentication-Type": "7",
    "Event.System-Health-Result.data_type": "1",
    "Event.System-Health-Result": "Windows Security Health Validator:Compliant:No Data:None[]:(0x0 - ):(0x0 - ):(0x0 - ):(0x0 - ):(0x0 - ):(0x0 - ):(0x0 - ):(0x0 - )",
    "Event.System-Health-ResultEx.data_type": "1",
    "Event.System-Health-ResultEx.SHV-Name.data_type": "1",
    "Event.System-Health-ResultEx.SHV-Name": "Windows Security Health Validator",
    "Event.System-Health-ResultEx.Config-ID.data_type": "0",
    "Event.System-Health-ResultEx.Config-ID": "0",
    "Event.System-Health-ResultEx.Config-Friendly-Name.data_type": "1",
    "Event.System-Health-ResultEx.Health-Result.data_type": "1",
    "Event.System-Health-ResultEx.Health-Result": "Compliant",
    "Event.System-Health-ResultEx.Extended-Isolation-State.data_type": "1",
    "Event.System-Health-ResultEx.Extended-Isolation-State": "No Data",
    "Event.System-Health-ResultEx.Failure-Category.data_type": "1",
    "Event.System-Health-ResultEx.Failure-Category": "None",
    "Event.System-Health-ResultEx.Failure-Category-String.data_type": "1",
    "Event.System-Health-ResultEx.Compliance-Results.data_type": "1",
    "Event.NP-Policy-Name.data_type": "1",
    "Event.NP-Policy-Name": "ias2-HRA-NAPSTIR-Red-Compliant",
    "Event.Quarantine-Update-Non-Compliant.data_type": "0",
    "Event.Quarantine-Update-Non-Compliant": "0",
    "Event.Framed-Protocol.data_type": "0",
    "Event.Framed-Protocol": "1",
    "Event.Service-Type.data_type": "0",
    "Event.Service-Type": "2",
    "Event.Packet-Type.data_type": "0",
    "Event.Packet-Type": "2",
    "Event.Reason-Code.data_type": "0",
    "Event.Reason-Code": "0",
}