Freigeben über


Interpret NPS Database Format Log Files

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012

Unlike IAS-formatted log files, database-compatible log files present the data in a standard sequence and use a structure that is identical, regardless of the format used by the network access server (NAS) that sends the data. This consistent sequence and structure helps simplify accounting and authentication records. Data can be easily exported to a database.

Note

Although NPS supports both IAS-formatted and database-compatible log files, use the database-compatible log format in most instances because it supports tools compliant with Open Database Connectivity (ODBC).

Entries recorded in database-compatible log files

The following are example entries (Access-Request and Access-Accept) from a database-compatible log file.

Note

In the examples below, "IAS" refers to Internet Authentication Service. In Windows Server 2008. NPS replaces IAS. In NPS accounting data, the term IAS refers to the Network Policy Server service.

This is the first example:

"CLIENTCOMP","IAS",03/07/2008,13:04:33,1,"client",,,,,,,,,9,"10.10.10.10","npsclient",,,,,,,1,,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

This is the second example:

"CLIENTCOMP","IAS",03/07/2008,13:04:33,2,,"npsclientdc/Users/client",,,,,,,,9,"10.10.10.10","npsclient",,,,,,2,1,"Allow access if dial-in permission is enabled",0,"311 1 10.10.10.11 03/07/2008 20:04:30 1",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

The following table shows the attributes that can be contained in a record in the database-compatible log file, the sequence in which they are recorded, and how the preceding examples are interpreted.

Additional information

  • A blank field in the first column of the table indicates that the network access server did not include a value with the attribute in the packets for the preceding example entries.

  • The Data type column identifies the data type (text, number, or time) for each attribute. When you create a database into which log files are imported, you must define each field for the data type of the attribute value that will be imported into it. In database-compatible log files, text values (such as strings, octet strings, and IP addresses) are always surrounded by double quotes. If the double quotes appear within the string, then they are replaced with a double set of double quotes.

This table shows the values for the example entries of an IAS-internal attribute.

Value shown in example Attribute Data type Description

"CLIENTCOMP"

ComputerName

Text

The name of the server where the packet was received (this is an IAS-internal attribute).

"IAS"

ServiceName

Text

The name of the service that generated the record—IAS or the Routing and Remote Access service (this is an IAS-internal attribute).

03/07/2008

Record-Date

Time

The date at the NPS or Routing and Remote Access server (this is an IAS-internal attribute).

13:04:33

Record-Time

Time

The time at the NPS or Routing and Remote Access server (this is an IAS-internal attribute).

1

Packet-Type

Number

The type of packet, which can be:

  • 1 = Access-Request

  • 2 = Access-Accept

  • 3 = Access-Reject

  • 4 = Accounting-Request

This is an IAS-internal attribute.

"client"

User-Name

Text

The user identity, as specified by the user.

 

Fully-Qualified-Distinguished-Name

Text

The user name in canonical format (this is an IAS-internal attribute).

 

Called-Station-ID

Text

The phone number dialed by the user.

 

Calling-Station-ID

Text

The phone number from which the call originated.

 

Callback-Number

Text

The callback phone number.

 

Framed-IP-Address

Text

The framed address to be configured for the user.

 

NAS-Identifier

Text

The text that identifies the network access server originating the request.

 

NAS-IP-Address

Text

The IP address of the network access server originating the request.

 

NAS-Port

Number

The physical port number of the network access server originating the request.

9

Client-Vendor

Number

The manufacturer of the network access server (this is an IAS-internal attribute).

"10.10.10.10"

Client-IP-Address

Text

The IP address of the RADIUS client (this is an IAS-internal attribute).

"npsclient"

Client-Friendly-Name

Text

The friendly name for the RADIUS client (this is an IAS-internal attribute).

 

Event-Timestamp

Time

The date and time that this event occurred on the network access server.

 

Port-Limit

Number

The maximum number of ports that the network access server provides to the user.

 

NAS-Port-Type

Number

The type of physical port that is used by the network access server originating the request.

 

Connect-Info

Text

Information that is used by the network access server to specify the type of connection made. Typical information includes connection speed and data encoding protocols.

 

Framed-Protocol

Number

The protocol to be used.

 

Service-Type

Number

The type of service that the user has requested.

1

Authentication-Type

Number

The authentication scheme, which is used to verify the user and can be:

  • 1 = PAP

  • 2 = CHAP

  • 3 = MS-CHAP

  • 4 = MS-CHAP v2

  • 5 = EAP

  • 7 = None

  • 8 = Custom

This is an IAS-internal attribute.

 

Policy-Name

Text

The friendly name of the network policy that either granted or denied access. This attribute is logged in Access-Accept and Access-Reject messages. If a user is rejected because none of the network policies matched, then this attribute is blank.

0

Reason-Code

Number

The reason for rejecting a user, which can be:

  • 0 = IAS_SUCCESS

  • 1 = IAS_INTERNAL_ERROR

  • 2 = IAS_ACCESS_DENIED

  • 3 = IAS_MALFORMED_REQUEST

  • 4 = IAS_GLOBAL_CATALOG_UNAVAILABLE

  • 5 = IAS_DOMAIN_UNAVAILABLE

  • 6 = IAS_SERVER_UNAVAILABLE

  • 7 = IAS_NO_SUCH_DOMAIN

  • 8 = IAS_NO_SUCH_USER

  • 16 = IAS_AUTH_FAILURE

  • 17 = IAS_CHANGE_PASSWORD_FAILURE

  • 18 = IAS_UNSUPPORTED_AUTH_TYPE

  • 32 = IAS_LOCAL_USERS_ONLY

  • 33 = IAS_PASSWORD_MUST_CHANGE

  • 34 = IAS_ACCOUNT_DISABLED

  • 35 = IAS_ACCOUNT_EXPIRED

  • 36 = IAS_ACCOUNT_LOCKED_OUT

  • 37 = IAS_INVALID_LOGON_HOURS

  • 38 = IAS_ACCOUNT_RESTRICTION

  • 48 = IAS_NO_POLICY_MATCH

  • 64 = IAS_DIALIN_LOCKED_OUT

  • 65 = IAS_DIALIN_DISABLED

  • 66 = IAS_INVALID_AUTH_TYPE

  • 67 = IAS_INVALID_CALLING_STATION

  • 68 = IAS_INVALID_DIALIN_HOURS

  • 69 = IAS_INVALID_CALLED_STATION

  • 70 = IAS_INVALID_PORT_TYPE

  • 71 = IAS_INVALID_RESTRICTION

  • 80 = IAS_NO_RECORD

  • 96 = IAS_SESSION_TIMEOUT

  • 97 = IAS_UNEXPECTED_REQUEST

This is an IAS-internal attribute.

 

Class

Text

The attribute that is sent to the client in an Access-Accept packet.

 

Session-Timeout

Number

The length of time (in seconds) before the session is terminated.

 

Idle-Timeout

Number

The length of idle time (in seconds) before the session is terminated.

 

Termination-Action

Number

The action that the network access server takes when service is completed.

 

EAP-Friendly-Name

Text

The friendly name of the EAP-based authentication method that was used by the access client and NPS server during the authentication process. For example, if the client and server use Extensible Authentication Protocol (EAP) and the EAP type MS-CHAP v2, the value of EAP-Friendly-Name is “Microsoft Secured Password (EAP-MSCHAPv2)."

 

Acct-Status-Type

Number

The number that specifies whether an accounting packet starts or stops a bridging, routing, or Terminal Server session.

 

Acct-Delay-Time

Number

The length of time (in seconds) for which the network access server has been sending the same accounting packet.

 

Acct-Input-Octets

Number

The number of octets received during the session.

 

Acct-Output-Octets

Number

The number of octets sent during the session.

 

Acct-Session-Id

Text

The unique numeric string that identifies the server session.

 

Acct-Authentic

Number

The number that specifies which server authenticated an incoming call.

 

Acct-Session-Time

Number

The length of time (in seconds) for which the session has been active.

 

Acct-Input-Packets

Number

The number of packets received during the session.

 

Acct-Output-Packets

Number

The number of packets sent during the session.

 

Acct-Terminate-Cause

Number

The reason that a connection was terminated.

 

Acct-Multi-Ssn-ID

Text

The unique numeric string that identifies the multilink session.

 

Acct-Link-Count

Number

The number of links in a multilink session.

 

Acct-Interim-Interval

Number

The length of interval (in seconds) between each interim update that the network access server sends.

 

Tunnel-Type

Number

The tunneling protocol to be used.

 

Tunnel-Medium-Type

Number

The medium to use when creating a tunnel for protocols. For example, L2TP packets can be sent over multiple link layers.

 

Tunnel-Client-Endpt

Text

The IP address of the tunnel client.

 

Tunnel-Server-Endpt

Text

The IP address of the tunnel server.

 

Acct-Tunnel-Conn

Text

An identifier assigned to the tunnel.

 

Tunnel-Pvt-Group-ID

Text

The group ID for a specific tunneled session.

 

Tunnel-Assignment-ID

Text

The tunnel to which a session is assigned.

 

Tunnel-Preference

Number

The preference of the tunnel type, as indicated with the Tunnel-Type attribute when multiple tunnel types are supported by the access server.

 

MS-Acct-Auth-Type

Number

A Routing and Remote Access service attribute. For more information, see RFC 2548.

 

MS-Acct-EAP-Type

Number

A Routing and Remote Access service attribute. For more information, see RFC 2548.

 

MS-RAS-Version

Text

A Routing and Remote Access service attribute. For more information, see RFC 2548.

 

MS-RAS-Vendor

Number

A Routing and Remote Access service attribute. For more information, see RFC 2548.

 

MS-CHAP-Error

Text

A Routing and Remote Access service attribute. For more information, see RFC 2548.

 

MS-CHAP-Domain

Text

A Routing and Remote Access service attribute. For more information, see RFC 2548.

 

MS-MPPE-Encryption-Types

Number

A Routing and Remote Access service attribute. For more information, see RFC 2548.

 

MS-MPPE-Encryption-Policy

Number

A Routing and Remote Access service attribute. For more information, see RFC 2548.

 

Proxy-Policy-Name

Text

The name of the connection request policy that matched the connection request.

 

Provider-Type

Number

Specifies the location where authentication occurs. Possible values are 0, 1, and 2. A value of 0 indicates that no authentication occurred. A value of 1 indicates that authentication occurs on the local NPS server. A value of 2 indicates that the connection request is forwarded to a remote RADIUS server for authentication.

 

Provider-Name

Text

A string value that corresponds to Provider-Type. Possible values are "None" for a Provider-Type value of 0, "Windows" for a Provider-Type value of 1, and "Radius Proxy" for Provider-Type value of 2.

 

Remote-Server-Address

IP address

The IP address of the remote RADIUS server to which the connection request was forwarded for authentication.

"CLIENTCOMP"

MS-RAS-Client-Name

Text

The name of the remote access client. The Vendor-Length of the Value field, including the vendor ID, vendor-type, vendor-length, and value, must be at least 7 and less than 40.

Value, which specifies the computer name of the endpoint that is requesting network access, is sent in ASCII format and is null terminated.

The valid character set for the computer name includes letters, numbers, and the following symbols: ! @ # $ % ^ & ‘ ) ( . - _ { } ~.

 

MS-RAS-Client-Version

Number

The operating system version that is installed on the remote access client. The Vendor-Length of the Value field, including the vendor ID, vendor-type, vendor-length, and value, must be at least 7.

Value, which specifies the version of the operating system on a remote access client, is a string that is in network byte order.

Entries recorded in DTS Compliant log files

ODBC and IAS legacy file types contain a subset of the information that NPS sends to its SQL Server database. In Windows Server 2008 R2, a new log file type, called DTS Compliant is available. The DTS Compliant file type’s XML format is identical to the XML format that NPS uses to import data into its SQL Server database. Therefore, the DTS Compliant file format provides a more efficient and complete transfer of data into the standard SQL Server database for NPS.

You can interpret the DTS Compliant log files using the table of the IAS-internal attributes that is listed above. However, note that the NPS log files in Windows Server 2008 R2 can contain additional information. For example, since in Windows Server 2008 R2 you can specify multiple configurations for System Health Validators (SHVs), NPS log files in Windows Server 2008 R2 contain SHV configuration details that are specific for any particular event. (For more information about multiple SHV configurations in Windows Server 2008 R2, see “Security Health Validators in Windows Server 2008 R2” in Choose a Compliant Strategy (https://go.microsoft.com/fwlink/?LinkID=182634).

The following is an example entry (Access-Accept) from a DTS Compliant log file.

<Event>
                <Timestamp data_type="4">12/22/2009 15:06:56.609</Timestamp> 
                <Computer-Name data_type="1">NAP-IAS2</Computer-Name>
                <Event-Source data_type="1">IAS</Event-Source>
                <Acct-Session-Id data_type="2">B3BA359F48CEDE4E9F78E5B3158F3B877E744D735B83CA01</Acct-Session-Id>
                <Class data_type="1">311 1 2001:4898:b0:3007:492e:957a:d44d:7093 12/16/2009 04:32:04 145361</Class>
                <MS-Extended-Quarantine-State data_type="0">0</MS-Extended-Quarantine-State>
                <MS-Quarantine-State data_type="0">0</MS-Quarantine-State>
                <Client-IPv6-Address data_type="5">2001:4898:b0:3007:6cc0:9514:d2ff:cdcf</Client-IPv6-Address>
                <Client-Vendor data_type="0">0</Client-Vendor>
                <Client-Friendly-Name data_type="1">NAP-HRA2</Client-Friendly-Name>
                <Proxy-Policy-Name data_type="1">HRA</Proxy-Policy-Name>
                <Provider-Type data_type="0">1</Provider-Type>
                <Quarantine-Session-Id data_type="1">{9F35BAB3-CE48-4EDE-9F78-E5B3158F3B87} - 2009-12-22 23:06:53.319Z</Quarantine-Session-Id>
                <Machine-Inventory data_type="1">6.1.7600 0.0 x86 Workstation</Machine-Inventory>
                <Fully-Qualified-Machine-Name data_type="1">CONTOSO\CLIENT1</Fully-Qualified-Machine-Name>
                <Authentication-Type data_type="0">7</Authentication-Type>
                <System-Health-Result data_type="1">Windows Security Health Validator:Compliant:No Data:None[]:(0x0 - ):(0x0 - ):(0x0 - ):(0x0 - ):(0x0 - ):(0x0 - ):(0x0 - ):(0x0 - )</System-Health-Result>
                <System-Health-ResultEx data_type="1">
                                <SHV-Name data_type="1">Windows Security Health Validator</SHV-Name>
                                <Config-ID data_type="0">0</Config-ID>
                                <Config-Friendly-Name data_type="1"></Config-Friendly-Name>
                                <Health-Result data_type="1">Compliant</Health-Result>
                                <Extended-Isolation-State data_type="1">No Data</Extended-Isolation-State>
                                <Failure-Category data_type="1">None</Failure-Category>
                                <Failure-Category-String data_type="1"></Failure-Category-String>
                                <Compliance-Results data_type="1"></Compliance-Results>
                </System-Health-ResultEx>
                <NP-Policy-Name data_type="1">ias2-HRA-NAPSTIR-Red-Compliant</NP-Policy-Name>
                <Quarantine-Update-Non-Compliant data_type="0">0</Quarantine-Update-Non-Compliant>
                <Framed-Protocol data_type="0">1</Framed-Protocol>
                <Service-Type data_type="0">2</Service-Type>
                <Packet-Type data_type="0">2</Packet-Type>
                <Reason-Code data_type="0">0</Reason-Code>
</Event>

The following table shows how the SHV information in this example entry can be interpreted.

Tag and value Description

<System-Health-Result data_type="1">Windows Security Health Validator:Compliant:No Data:None[]:(0x0 - ):(0x0 - ):(0x0 - ):(0x0 - ):(0x0 - ):(0x0 - ):(0x0 - ):(0x0 - )</System-Health-Result>

Specifies the SHV details. There can be one or several System-Health-Result tags in an NPS log file entry.

<SHV-Name data_type="1">Windows Security Health Validator</SHV-Name>

Specifies the particular SHV that was used in the event.

<Config-ID data_type="0">0</Config-ID>

Specifies the SHV configuration that was used in the event.

<Config-Friendly-Name data_type="1"></Config-Friendly-Name>

Specifies the friendly name of the SHV used in the event.

<Health-Result data_type="1">Compliant</Health-Result>

Specifies the health state of the NAP client computer (compliant or noncompliant).