Interpret NPS Database Format Log Files
Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012
Unlike IAS-formatted log files, database-compatible log files present the data in a standard sequence and use a structure that is identical, regardless of the format used by the network access server (NAS) that sends the data. This consistent sequence and structure helps simplify accounting and authentication records. Data can be easily exported to a database.
Note
Although NPS supports both IAS-formatted and database-compatible log files, use the database-compatible log format in most instances because it supports tools compliant with Open Database Connectivity (ODBC).
Entries recorded in database-compatible log files
The following are example entries (Access-Request and Access-Accept) from a database-compatible log file.
Note
In the examples below, "IAS" refers to Internet Authentication Service. In Windows Server 2008. NPS replaces IAS. In NPS accounting data, the term IAS refers to the Network Policy Server service.
This is the first example:
"CLIENTCOMP","IAS",03/07/2008,13:04:33,1,"client",,,,,,,,,9,"10.10.10.10","npsclient",,,,,,,1,,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
This is the second example:
"CLIENTCOMP","IAS",03/07/2008,13:04:33,2,,"npsclientdc/Users/client",,,,,,,,9,"10.10.10.10","npsclient",,,,,,2,1,"Allow access if dial-in permission is enabled",0,"311 1 10.10.10.11 03/07/2008 20:04:30 1",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
The following table shows the attributes that can be contained in a record in the database-compatible log file, the sequence in which they are recorded, and how the preceding examples are interpreted.
Additional information
A blank field in the first column of the table indicates that the network access server did not include a value with the attribute in the packets for the preceding example entries.
The Data type column identifies the data type (text, number, or time) for each attribute. When you create a database into which log files are imported, you must define each field for the data type of the attribute value that will be imported into it. In database-compatible log files, text values (such as strings, octet strings, and IP addresses) are always surrounded by double quotes. If the double quotes appear within the string, then they are replaced with a double set of double quotes.
This table shows the values for the example entries of an IAS-internal attribute.
| Value shown in example | Attribute | Data type | Description |
|---|---|---|---|
"CLIENTCOMP" |
ComputerName |
Text |
The name of the server where the packet was received (this is an IAS-internal attribute). |
"IAS" |
ServiceName |
Text |
The name of the service that generated the record—IAS or the Routing and Remote Access service (this is an IAS-internal attribute). |
03/07/2008 |
Record-Date |
Time |
The date at the NPS or Routing and Remote Access server (this is an IAS-internal attribute). |
13:04:33 |
Record-Time |
Time |
The time at the NPS or Routing and Remote Access server (this is an IAS-internal attribute). |
1 |
Packet-Type |
Number |
The type of packet, which can be:
This is an IAS-internal attribute. |
"client" |
User-Name |
Text |
The user identity, as specified by the user. |
|
Fully-Qualified-Distinguished-Name |
Text |
The user name in canonical format (this is an IAS-internal attribute). |
|
Called-Station-ID |
Text |
The phone number dialed by the user. |
|
Calling-Station-ID |
Text |
The phone number from which the call originated. |
|
Callback-Number |
Text |
The callback phone number. |
|
Framed-IP-Address |
Text |
The framed address to be configured for the user. |
|
NAS-Identifier |
Text |
The text that identifies the network access server originating the request. |
|
NAS-IP-Address |
Text |
The IP address of the network access server originating the request. |
|
NAS-Port |
Number |
The physical port number of the network access server originating the request. |
9 |
Client-Vendor |
Number |
The manufacturer of the network access server (this is an IAS-internal attribute). |
"10.10.10.10" |
Client-IP-Address |
Text |
The IP address of the RADIUS client (this is an IAS-internal attribute). |
"npsclient" |
Client-Friendly-Name |
Text |
The friendly name for the RADIUS client (this is an IAS-internal attribute). |
|
Event-Timestamp |
Time |
The date and time that this event occurred on the network access server. |
|
Port-Limit |
Number |
The maximum number of ports that the network access server provides to the user. |
|
NAS-Port-Type |
Number |
The type of physical port that is used by the network access server originating the request. |
|
Connect-Info |
Text |
Information that is used by the network access server to specify the type of connection made. Typical information includes connection speed and data encoding protocols. |
|
Framed-Protocol |
Number |
The protocol to be used. |
|
Service-Type |
Number |
The type of service that the user has requested. |
1 |
Authentication-Type |
Number |
The authentication scheme, which is used to verify the user and can be:
This is an IAS-internal attribute. |
|
Policy-Name |
Text |
The friendly name of the network policy that either granted or denied access. This attribute is logged in Access-Accept and Access-Reject messages. If a user is rejected because none of the network policies matched, then this attribute is blank. |
0 |
Reason-Code |
Number |
The reason for rejecting a user, which can be:
This is an IAS-internal attribute. |
|
Class |
Text |
The attribute that is sent to the client in an Access-Accept packet. |
|
Session-Timeout |
Number |
The length of time (in seconds) before the session is terminated. |
|
Idle-Timeout |
Number |
The length of idle time (in seconds) before the session is terminated. |
|
Termination-Action |
Number |
The action that the network access server takes when service is completed. |
|
EAP-Friendly-Name |
Text |
The friendly name of the EAP-based authentication method that was used by the access client and NPS server during the authentication process. For example, if the client and server use Extensible Authentication Protocol (EAP) and the EAP type MS-CHAP v2, the value of EAP-Friendly-Name is “Microsoft Secured Password (EAP-MSCHAPv2)." |
|
Acct-Status-Type |
Number |
The number that specifies whether an accounting packet starts or stops a bridging, routing, or Terminal Server session. |
|
Acct-Delay-Time |
Number |
The length of time (in seconds) for which the network access server has been sending the same accounting packet. |
|
Acct-Input-Octets |
Number |
The number of octets received during the session. |
|
Acct-Output-Octets |
Number |
The number of octets sent during the session. |
|
Acct-Session-Id |
Text |
The unique numeric string that identifies the server session. |
|
Acct-Authentic |
Number |
The number that specifies which server authenticated an incoming call. |
|
Acct-Session-Time |
Number |
The length of time (in seconds) for which the session has been active. |
|
Acct-Input-Packets |
Number |
The number of packets received during the session. |
|
Acct-Output-Packets |
Number |
The number of packets sent during the session. |
|
Acct-Terminate-Cause |
Number |
The reason that a connection was terminated. |
|
Acct-Multi-Ssn-ID |
Text |
The unique numeric string that identifies the multilink session. |
|
Acct-Link-Count |
Number |
The number of links in a multilink session. |
|
Acct-Interim-Interval |
Number |
The length of interval (in seconds) between each interim update that the network access server sends. |
|
Tunnel-Type |
Number |
The tunneling protocol to be used. |
|
Tunnel-Medium-Type |
Number |
The medium to use when creating a tunnel for protocols. For example, L2TP packets can be sent over multiple link layers. |
|
Tunnel-Client-Endpt |
Text |
The IP address of the tunnel client. |
|
Tunnel-Server-Endpt |
Text |
The IP address of the tunnel server. |
|
Acct-Tunnel-Conn |
Text |
An identifier assigned to the tunnel. |
|
Tunnel-Pvt-Group-ID |
Text |
The group ID for a specific tunneled session. |
|
Tunnel-Assignment-ID |
Text |
The tunnel to which a session is assigned. |
|
Tunnel-Preference |
Number |
The preference of the tunnel type, as indicated with the Tunnel-Type attribute when multiple tunnel types are supported by the access server. |
|
MS-Acct-Auth-Type |
Number |
A Routing and Remote Access service attribute. For more information, see RFC 2548. |
|
MS-Acct-EAP-Type |
Number |
A Routing and Remote Access service attribute. For more information, see RFC 2548. |
|
MS-RAS-Version |
Text |
A Routing and Remote Access service attribute. For more information, see RFC 2548. |
|
MS-RAS-Vendor |
Number |
A Routing and Remote Access service attribute. For more information, see RFC 2548. |
|
MS-CHAP-Error |
Text |
A Routing and Remote Access service attribute. For more information, see RFC 2548. |
|
MS-CHAP-Domain |
Text |
A Routing and Remote Access service attribute. For more information, see RFC 2548. |
|
MS-MPPE-Encryption-Types |
Number |
A Routing and Remote Access service attribute. For more information, see RFC 2548. |
|
MS-MPPE-Encryption-Policy |
Number |
A Routing and Remote Access service attribute. For more information, see RFC 2548. |
|
Proxy-Policy-Name |
Text |
The name of the connection request policy that matched the connection request. |
|
Provider-Type |
Number |
Specifies the location where authentication occurs. Possible values are 0, 1, and 2. A value of 0 indicates that no authentication occurred. A value of 1 indicates that authentication occurs on the local NPS server. A value of 2 indicates that the connection request is forwarded to a remote RADIUS server for authentication. |
|
Provider-Name |
Text |
A string value that corresponds to Provider-Type. Possible values are "None" for a Provider-Type value of 0, "Windows" for a Provider-Type value of 1, and "Radius Proxy" for Provider-Type value of 2. |
|
Remote-Server-Address |
IP address |
The IP address of the remote RADIUS server to which the connection request was forwarded for authentication. |
"CLIENTCOMP" |
MS-RAS-Client-Name |
Text |
The name of the remote access client. The Vendor-Length of the Value field, including the vendor ID, vendor-type, vendor-length, and value, must be at least 7 and less than 40. Value, which specifies the computer name of the endpoint that is requesting network access, is sent in ASCII format and is null terminated. The valid character set for the computer name includes letters, numbers, and the following symbols: ! @ # $ % ^ & ‘ ) ( . - _ { } ~. |
|
MS-RAS-Client-Version |
Number |
The operating system version that is installed on the remote access client. The Vendor-Length of the Value field, including the vendor ID, vendor-type, vendor-length, and value, must be at least 7. Value, which specifies the version of the operating system on a remote access client, is a string that is in network byte order. |
Entries recorded in DTS Compliant log files
ODBC and IAS legacy file types contain a subset of the information that NPS sends to its SQL Server database. In Windows Server 2008 R2, a new log file type, called DTS Compliant is available. The DTS Compliant file type’s XML format is identical to the XML format that NPS uses to import data into its SQL Server database. Therefore, the DTS Compliant file format provides a more efficient and complete transfer of data into the standard SQL Server database for NPS.
You can interpret the DTS Compliant log files using the table of the IAS-internal attributes that is listed above. However, note that the NPS log files in Windows Server 2008 R2 can contain additional information. For example, since in Windows Server 2008 R2 you can specify multiple configurations for System Health Validators (SHVs), NPS log files in Windows Server 2008 R2 contain SHV configuration details that are specific for any particular event. (For more information about multiple SHV configurations in Windows Server 2008 R2, see “Security Health Validators in Windows Server 2008 R2” in Choose a Compliant Strategy (https://go.microsoft.com/fwlink/?LinkID=182634).
The following is an example entry (Access-Accept) from a DTS Compliant log file.
<Event>
<Timestamp data_type="4">12/22/2009 15:06:56.609</Timestamp>
<Computer-Name data_type="1">NAP-IAS2</Computer-Name>
<Event-Source data_type="1">IAS</Event-Source>
<Acct-Session-Id data_type="2">B3BA359F48CEDE4E9F78E5B3158F3B877E744D735B83CA01</Acct-Session-Id>
<Class data_type="1">311 1 2001:4898:b0:3007:492e:957a:d44d:7093 12/16/2009 04:32:04 145361</Class>
<MS-Extended-Quarantine-State data_type="0">0</MS-Extended-Quarantine-State>
<MS-Quarantine-State data_type="0">0</MS-Quarantine-State>
<Client-IPv6-Address data_type="5">2001:4898:b0:3007:6cc0:9514:d2ff:cdcf</Client-IPv6-Address>
<Client-Vendor data_type="0">0</Client-Vendor>
<Client-Friendly-Name data_type="1">NAP-HRA2</Client-Friendly-Name>
<Proxy-Policy-Name data_type="1">HRA</Proxy-Policy-Name>
<Provider-Type data_type="0">1</Provider-Type>
<Quarantine-Session-Id data_type="1">{9F35BAB3-CE48-4EDE-9F78-E5B3158F3B87} - 2009-12-22 23:06:53.319Z</Quarantine-Session-Id>
<Machine-Inventory data_type="1">6.1.7600 0.0 x86 Workstation</Machine-Inventory>
<Fully-Qualified-Machine-Name data_type="1">CONTOSO\CLIENT1</Fully-Qualified-Machine-Name>
<Authentication-Type data_type="0">7</Authentication-Type>
<System-Health-Result data_type="1">Windows Security Health Validator:Compliant:No Data:None[]:(0x0 - ):(0x0 - ):(0x0 - ):(0x0 - ):(0x0 - ):(0x0 - ):(0x0 - ):(0x0 - )</System-Health-Result>
<System-Health-ResultEx data_type="1">
<SHV-Name data_type="1">Windows Security Health Validator</SHV-Name>
<Config-ID data_type="0">0</Config-ID>
<Config-Friendly-Name data_type="1"></Config-Friendly-Name>
<Health-Result data_type="1">Compliant</Health-Result>
<Extended-Isolation-State data_type="1">No Data</Extended-Isolation-State>
<Failure-Category data_type="1">None</Failure-Category>
<Failure-Category-String data_type="1"></Failure-Category-String>
<Compliance-Results data_type="1"></Compliance-Results>
</System-Health-ResultEx>
<NP-Policy-Name data_type="1">ias2-HRA-NAPSTIR-Red-Compliant</NP-Policy-Name>
<Quarantine-Update-Non-Compliant data_type="0">0</Quarantine-Update-Non-Compliant>
<Framed-Protocol data_type="0">1</Framed-Protocol>
<Service-Type data_type="0">2</Service-Type>
<Packet-Type data_type="0">2</Packet-Type>
<Reason-Code data_type="0">0</Reason-Code>
</Event>
The following table shows how the SHV information in this example entry can be interpreted.
| Tag and value | Description |
|---|---|
<System-Health-Result data_type="1">Windows Security Health Validator:Compliant:No Data:None[]:(0x0 - ):(0x0 - ):(0x0 - ):(0x0 - ):(0x0 - ):(0x0 - ):(0x0 - ):(0x0 - )</System-Health-Result> |
Specifies the SHV details. There can be one or several System-Health-Result tags in an NPS log file entry. |
<SHV-Name data_type="1">Windows Security Health Validator</SHV-Name> |
Specifies the particular SHV that was used in the event. |
<Config-ID data_type="0">0</Config-ID> |
Specifies the SHV configuration that was used in the event. |
<Config-Friendly-Name data_type="1"></Config-Friendly-Name> |
Specifies the friendly name of the SHV used in the event. |
<Health-Result data_type="1">Compliant</Health-Result> |
Specifies the health state of the NAP client computer (compliant or noncompliant). |