Windows NPS (RADIUS)

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

# Load the modules needed by the outputs
<Extension json>
    Module      xm_json

<Extension xml>
    Module xm_xml

# Inputs. Add the field '$type' so the receiver can easily tell what type they are.
<Input IAS_Event_Logs>
    Module      im_msvistalog
    Query \
<Query Id="0" Path="System">\
<Select Path="System">*[System[Provider[@Name='NPS']]]</Select>\
<Select Path="System">*[System[Provider[@Name='HRA']]]</Select>\
  <Select Path="System">*[System[Provider[@Name='Microsoft-Windows-HCAP']]]</Select>\
<Select Path="System">*[System[Provider[@Name='RemoteAccess']]]</Select>\
<Select Path="Security">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and Task = 12552]]</Select>\
    Exec $type = "RADIUS";

<Input IAS_Accounting_Logs>
    Module      im_file
    File "E:\IAS_Logs\IN*.log"
    Exec parse_xml();
    Exec $type = "RADIUSAccounting";

# Output the logs out using the TCP module, convert to JSON format (important)
<Output broker>
    Module      om_tcp
    Port        8899
    Exec to_json();

# Routes
<Route 1>
    Path        IAS_Event_Logs,IAS_Accounting_Logs => broker

# Rotate the input logs while we're at it, so we don't need a separate tool
<Extension exec>
    Module xm_exec
    When @daily
      #Note -  the Exec statement is one line but may appear wrapped
                Exec exec('C:\Windows\System32\forfiles.exe','/P','"E:\IAS_Logs"','/D','-1','/C','"cmd','/c','move','@file','\\\share\logs\radius1"');