Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Dump NPS logs

Posted on 2014-11-20
14
Medium Priority
?
528 Views
Last Modified: 2014-11-22
How can I dump the events or logs for "Network Policy and Access Services" to a text file ?
0
Comment
Question by:soffcec
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 7
14 Comments
 
LVL 28

Expert Comment

by:Dan McFadden
ID: 40456903
Manually, you can navigate to any event log, right-click and do a "Save All Events As."  Your Save As options are:

1. evtx
2. xml
3. txt
4. csv

Or are you looking for a script?

Dan
0
 
LVL 28

Expert Comment

by:Dan McFadden
ID: 40456910
If you are looking for events with specific event IDs or from a specific source, you can go to the appropriate event log and use the "Filter Current Log" function to select the desired events.  After finding the desired info, use the "Save Filtered Log File As" function to drop those events into files types mentioned above.

Dan
0
 

Author Comment

by:soffcec
ID: 40457020
Well I need script for this, if have been trying to use wevtutil  and netsh, but not found a way to dump the NPS events.
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 28

Expert Comment

by:Dan McFadden
ID: 40457032
Have you tried using the plain old Event Viewer?  My posts above are based on using it.

Are you comfortable with PowerShell?

Dan
0
 

Author Comment

by:soffcec
ID: 40457039
Yes, but I need to schedule the running of the event dump. PS is ok. I have done this for long time in Windows 2003 but I cant find out how to do this in Windows 2012R2 and I only need the logs for the NPS
0
 
LVL 28

Expert Comment

by:Dan McFadden
ID: 40457074
OK, so a litte more info is needed:

1. the scheduled task is run how often?
2. what timeframe should be in the output file?  last 24 hours, last 12h, or all...
3. what event ids or what event source are you looking for?
--- I understand NPS events, but since you've done it before it would be helpful to now exactly what you pulled
4. CSV format?

Dan
0
 

Author Comment

by:soffcec
ID: 40457090
Don´t worry about the schedule, I just need wevtutil  and netsh command syntax to dump the NPS events to text file, no matter what format (.cvs,.txt)
I have never dumps NPS events in Server 2003, this is the first time I try to dump them.
On the 2003 server I was dumping other events.
0
 
LVL 28

Expert Comment

by:Dan McFadden
ID: 40457372
Have you enabled NPS logging?

Link: http://msdn.microsoft.com/en-us/library/cc730677.aspx

If so, it logs to a text located, by default, at:  systemroot \System32\LogFiles.  You can configure this log to rotate on the regular basis.  See above link.

Here is the netsh nps command reference:  http://technet.microsoft.com/en-us/library/cc754758(v=ws.10).aspx

Here is the wevtutil command reference:  http://technet.microsoft.com/de-de/library/cc732848(v=ws.10).aspx

Dan
0
 

Author Comment

by:soffcec
ID: 40457442
The NPS logging does not log anything, I prefer to use the event viewer logs.

I have checked out both aobove links before, As I said, I need the syntax for netsh or wevtutil to dump the event viwer NPS
0
 
LVL 28

Accepted Solution

by:
Dan McFadden earned 2000 total points
ID: 40457629
The links I posted provide you with the command reference, aka syntax.

If you want the actual command to dump the events, you have to answer a previous post where I asked what events ID you are looking for.  There are more than 100 unique events that are logged in the security event log.

Below is the XML for a custom event filter.

<QueryList>
 <Query Id=”0″ Path=”Security”>
 <Select Path=”Security”>*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and Task = 12552]]</Select>
 </Query>
 </QueryList>

Open in new window


Save that to an .xml file, then import it into the "Custom Views" in the Event Viewer to see if you get the results you want.  If that works for you, use the command below to get the events with wevtutil:

wevtutil qe c:\test\NpsQuery.xml /sq:true /f:text > NpsQuery.txt

Open in new window

0
 

Author Comment

by:soffcec
ID: 40457818
Humm , not undestandig this error,

C:\Netuse>wevtutil qe NpsQuery.xml /sq:true /f:text
Failed to open event query. The specified xml text was not well-formed. See Extended Error for more details.
0
 
LVL 28

Expert Comment

by:Dan McFadden
ID: 40459108
Error is from the way the xml file content was saved.  I'll guess you used Notepad to save the file.  I suggest that you use another text editor like Notepad++ or Programmer's notepad, either of these text editors will save the file properly.

Dan
0
 

Author Comment

by:soffcec
ID: 40459462
Now I have tried to save the text with EditPlus and Notepad++ but get the same error

When I try to import to Custom View I get the error "The specified custom view is not valid."
0
 

Author Comment

by:soffcec
ID: 40459494
It is working now. I replaced the double quote with double quote.
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The following article is comprised of the pearls we have garnered deploying virtualization solutions since Virtual Server 2005 and subsequent 2008 RTM+ Hyper-V in standalone and clustered environments.
Windows Server 2003 introduced persistent Volume Shadow Copies and made 2003 a must-do upgrade.  Since then, it's been a must-implement feature for all servers doing any kind of file sharing.
In this Micro Tutorial viewers will learn how they can get their files copied out from their unbootable system without need to use recovery services. As an example non-bootable Windows 2012R2 installation is used which has boot problems.
In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…

660 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question