Running into something very painful. We use Microsoft's Network Policy Server, and need the Network Policy Server security event subcategory to work – specifically, event id 6273 and 6272. NPS works, but event logs are not being written.
We've verified the following:
Network Policy Server is configured to log success and failure events:
PS > auditpol /get /subcategory:"Network Policy Server"
System audit policy
Category/Subcategory Setting
Logon/Logoff
Network Policy Server Success and Failure
PS > cat $env:systemroot\security\audit\audit.csv | select-string net
,System,Audit Network Policy Server,{0cce9243-69ae-11d9-bed3-505054503030},Success and Failure,,3
We've confirmed that NPS is configured to log these:
- Open NPS > Right click NPS (Local) > Properties > General Tab, both Successful and Rejected authentication requests boxes are checked
Unacceptable workarounds:
Text logs. They are being written without issue, but we have a variety of services and tools configured to use the event log data that should be working
What we've tried:
- Restarting :shrug:
- Manually disable network policy server audit policy, re-enable
- Disable network policy server configuration to log successful and rejected authentication requests
- Pair the above with restarting eventlog and ias services
Regardless of any changes, no NPS events are written to the event log
I'm sort of at a loss, outside of diving into procmon, but I have no idea when/where this might be failing, so something so verbose may not be super helpful.
Thanks!
Best Answer
I would try setting the logging to disabled, then enable it again (possibly with a reboot before enabling it again)
From an elevated command prompt:
To disable
To enable