NPS Logging - matching requests with accepts/rejects

%3CLINGO-SUB%20id%3D%22lingo-sub-1141800%22%20slang%3D%22en-US%22%3ENPS%20Logging%20-%20matching%20requests%20with%20accepts%2Frejects%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1141800%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20want%20to%20monitor%20my%20NPS%20logs%20to%20see%20when%20VPN%20connections%20are%20made.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20can%20see%20the%20requests%20(packet-type%201)%20contain%20the%20username%20of%20the%20user%20making%20the%20request%20but%20the%20accept%20and%20reject%20records%20(packet-types%202%20and%203)%20do%20not%20contain%20a%20username%2C%20nor%20any%20other%20information%20I%20could%20use%20to%20match%20the%20request%20to%20the%20accept%2Freject%20record.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20ID's%20do%20appear%20consecutively%2C%20but%20could%20I%20trust%20this%20is%20always%20the%20case%3F%26nbsp%3B%20Is%20there%20perhaps%20another%20setting%20to%20enable%20more%20information%20in%20the%20logs%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Echeers%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ejc%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1141800%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EWindows%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1147051%22%20slang%3D%22en-US%22%3ERe%3A%20NPS%20Logging%20-%20matching%20requests%20with%20accepts%2Frejects%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1147051%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F539470%22%20target%3D%22_blank%22%3E%40whatwaht%3C%2FA%3ENPS%20has%20a%20custom%20view%20in%20the%20event%20logs%20that%20shows%20successful%20and%20failed%20login%20attempts%2C%20complete%20with%20the%20policies%20that%20were%20used.%20Does%20this%20give%20you%20the%20info%20you%20need%3F%20Which%20logs%20are%20you%20trying%20to%20correlate%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1197623%22%20slang%3D%22en-US%22%3ERe%3A%20NPS%20Logging%20-%20matching%20requests%20with%20accepts%2Frejects%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1197623%22%20slang%3D%22en-US%22%3EThanks%20for%20the%20reply%20Mark%20(and%20sorry%20for%20the%20late%20response).%3CBR%20%2F%3E%3CBR%20%2F%3EI%20have%20set%20NPS%20to%20log%20to%20an%20SQL%20Server%20database.%20I%20have%20set%20up%20a%20job%20to%20notify%20when%20a%20VPN%20connection%20is%20attempted.%3CBR%20%2F%3EBelow%20are%20the%20two%20records%20created%20when%20a%20successful%20connection%20is%20made%3A%3CBR%20%2F%3E%3CBR%20%2F%3E4215%202020-01-31%2009%3A44%3A41.283%20PACC-FS03%201%20%5BUSERNAME%5D%20%5BIP%5D%20VPN%20Users%20Authentication%3CBR%20%2F%3E4216%202020-01-31%2009%3A44%3A41.283%20PACC-FS03%202%20%5BIP%5D%20VPN%20Users%20Authentication%3CBR%20%2F%3E%3CBR%20%2F%3ENote%20the%20first%20request%20record%20contains%20the%20username%20used%20to%20authenticate%20the%20connection%20and%20the%20IP%20of%20the%20VPN%20server.%3CBR%20%2F%3EThe%20second%20record%20is%20a%20connection%20successful%20record%20but%20has%20no%20username.%20The%20%5BIP%5D%20is%20the%20same%20for%20all%20users%20who%20connect.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20don't%20know%20whether%20all%20requests%20and%20success%2Freject%20records%20will%20have%20consecutive%20ID's%20(first%20field).%3CBR%20%2F%3E%3CBR%20%2F%3Ejc%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1211298%22%20slang%3D%22en-US%22%3ERe%3A%20NPS%20Logging%20-%20matching%20requests%20with%20accepts%2Frejects%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1211298%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F539470%22%20target%3D%22_blank%22%3E%40whatwaht%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESorry%20for%20delayed%20reply.%20It%20looks%20like%20you're%20using%20the%20Accounting%20logs.%20Could%20you%20use%20the%20built%20in%20Event%20Logs%20to%20get%20the%20information%20you%20need%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThinking%20rather%20than%20correlating%20events%2C%20this%20might%20be%20an%20easier%20way%20to%20obtain%20the%20information%20you%20require%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi all,

 

I want to monitor my NPS logs to see when VPN connections are made.

 

I can see the requests (packet-type 1) contain the username of the user making the request but the accept and reject records (packet-types 2 and 3) do not contain a username, nor any other information I could use to match the request to the accept/reject record.

 

The ID's do appear consecutively, but could I trust this is always the case?  Is there perhaps another setting to enable more information in the logs?

 

cheers

 

jc

3 Replies
Highlighted

@whatwahtNPS has a custom view in the event logs that shows successful and failed login attempts, complete with the policies that were used. Does this give you the info you need? Which logs are you trying to correlate? 

Highlighted
Thanks for the reply Mark (and sorry for the late response).

I have set NPS to log to an SQL Server database. I have set up a job to notify when a VPN connection is attempted.
Below are the two records created when a successful connection is made:

4215 2020-01-31 09:44:41.283 PACC-FS03 1 [USERNAME] [IP] VPN Users Authentication
4216 2020-01-31 09:44:41.283 PACC-FS03 2 [IP] VPN Users Authentication

Note the first request record contains the username used to authenticate the connection and the IP of the VPN server.
The second record is a connection successful record but has no username. The [IP] is the same for all users who connect.

I don't know whether all requests and success/reject records will have consecutive ID's (first field).

jc
Highlighted

Hi @whatwaht 

 

Sorry for delayed reply. It looks like you're using the Accounting logs. Could you use the built in Event Logs to get the information you need?

 

Thinking rather than correlating events, this might be an easier way to obtain the information you require?