The Definitive Guide To Nap Logging

5

The Definitive Guide to NAP Logging Pete Rivera is the Windows Team Lead on one of our DoD support teams and we've been working together on a NAP project. In addition to being a master of style and male fashion, Pete also puts together some great guidance for his customers. Recently, he wrote a detailed description of all the various logging capabilities that you might ever need to use to debug a NAP problem. Thanks, Pete!

1. NPS has various places where it does logging and/or creates a log… First off we do accounting IAS logging of the NPS status and network connection process data in %windir %\system32\LogFiles, but it can be configured to an alternative location. The log is: IN.log 2. Secondly we also can do SQL logging to a SQL 2k or SQL 2k5 database. This is used for logging user authentication and accounting requests: Logs user authentication and accounting requests in a stored procedure in a SQL Server 2000 or SQL Server2005 database. Request logging is used primarily for connection analysis and billing purposes. It is also useful as a security investigation tool, providing a method of tracking down the activity an attacker. 3. Likewise you can enable debug trace logging via netsh and this can be used to help provide detailed information about the Network Policy Server operation when NAP policies are configured: Netsh ras set tr * en %windir%\Tracing\IASNAP.log 4. In addition this enabled a slew of other IAS/RAS related logs in the same folder (i.e.: IASSAM.LOG, IPSEC etc ): %windir%\Tracing\*.log 5. You also have Event Logs. These provide a lot of info about the operation of NAP and connecting clients but is used primarily for auditing and troubleshooting connection attempts. Depending upon your build they are either in the SYSTEM (B3) log and/or the security log (RC0). There is also the Network Access Protection event log which you'd find on NAP clients. 6. On the client side we can enable NAP client Debug Tracing logs as well. This is enabled either via netsh or via the NAP client Configuration snap-in. It's an ETL file which is generated only by using logman… so you'll need to do a logman start QAgentRt -p {b0278a28-76f1-4e15-b1df14b209a12613} 0xFFFFFFFF 9 -o %systemroot%\tracing\nap\QAgentRt.etl –ets in order to turn start .etl generation. 7. likewise we can also do WHSA tracing for NAP also… the trace GUID is 789e8f15-0cbf-4402b0ed-0e22f90fdc8d 8. DHCP QEC tracing… Netsh dhcpclient trace enable. This command enabled QEC tracing and the trace files will be generated at %WINDIR%\System32\LogFiles\WMI\DHCP*.* 9. EAPHost Tracing for 802.1x Trace logs containing debugging information can assist users in finding the root causes of issues that occur during the EAP authentication process. The debugging information can include API calls performed, internal function calls performed, and state transitions performed. Tracing can be enabled on both the client side and the authenticator side. When EAPHost tracing is enabled, logging information is stored in an .etl file in a user-specified location. Tracing generates an .etl file. 10. EAPHost Tracing for 802.1x (client side) To enable tracing on the client side: Run the following command: logman start trace EapHostPeer -o .\EapHostPeer.etl -p {5F31090B-D990-4e91-B16D-46121D0255AA} 0x4000ffff 0 -ets Run the following command: logman stop EapHostPeer -ets

Convert the etl file into text using the following command: tracerptEapHostPeer.etl –pdb -tp -o EapHostPeer.txt 11. EAPHost Tracing for 802.1x (Authenticator side) To enable tracing on the authenticator side: Run the following command: logman start trace EapHostAuthr -o .\EapHostAuthr.etl -p {F6578502-DF4E-4a67-9661-E3A2F05D1D9B} 0x4000ffff 0 -ets Run the following command: logman stop EapHostAuthr -ets Convert the etl file into text using the following command: tracerptEapHostAuthr.etl –pdb -tp -o EapHostAuthr.txt 12. The we have the SCCM related logging specific to the SCCM SHA and shv. The Configuration Manager 2007 client computer log files are found, by default, in %windir%\CCM\Logs. For client computers that are also management points, the log files are found in %ProgramFiles %\SMS_CCM\Logs. 13. Ccmcca.log This file logs the processing of compliance evaluation based on Configuration Manager NAP policy processing. It also contains the processing of remediation for each software update required for compliance. 14. locationservices.log This log is used by other Configuration Manager features (for example, information about the client's assigned site), but it also contains information specific to Network Access Protection when the client is in remediation. It records the required remediation servers (management point, software update point, and distribution points that host content required for compliance), which are also sent in the client statement of health. 15. SMSSha.log This is the main log file for the Configuration Manager Network Access Protection client, and it contains a merged statement of health information from the two Configuration Manager components: location services (LS) and the configuration compliance agent (CCA). This log file also contains information about the interactions between the Configuration Manager System Health Agent and the operating system NAP agent, and also between the Configuration Manager System Health Agent and both the computer compliance agent and location services. It provides information about whether the NAP agent successfully initialized, the statement of health data, and the statement of health response. 16. CIAgent.log This tracks the process of remediation and compliance. However, the software updates log file, Updateshandler.log provides more informative details on installing the software updates required for compliance. 17. SDMAgent.log This log file is shared with the Configuration Manager feature desired configuration management, and it also contains the tracking process of remediation and compliance. However, the software updates log file, Updateshandler.log provides more informative details about installing the software updates required for compliance.

18. On the server side for the System Health Validator point, you should first check the Windows

Application event log on the Windows Network Policy Server computer. This log will record any failure categories and errors with the source being SMS_SYSTEM_HEALTH_VALIDATOR. These are also raised as Configuration Manager status messages. Otherwise More detailed logging information can be found in the Configuration Manager logs and the System Health Validator point log files are located in %systemdrive%\SMSSHV\SMS_SHV\Logs.

19. Ccmperf.log This log contains information about the initialization of the System Health Validator point performance counters. 20. SmsSHV.log This is the main log file for the System Health Validator point. It logs the basic operations of the System Health Validator service, such as the initialization progress. 21. SmsSHVADCacheClient.log This log file contains information about retrieving Configuration Manager health state references from Active Directory Domain Services. 22. SmsSHVCacheStore.log This log file contains information about the cache store used to hold the Configuration Manager NAP health state references retrieved from Active Directory Domain Services, such as reading from the store and purging entries from the local cache store file. 23. SmsSHVRegistrySettings.log This log is used to record any dynamic changes to the System Health Validator component configuration while the service is running. 24. SmsSHVQuarValidator.log This log file records client statement of health information and processing operations. To obtain full information, change the registry key LogLevel from 1 to 0 in the following location: HKLM\SOFTWARE\Microsoft\SMSSHV\Logging\@GLOBAL 25. \Logs\SMSSHVSetup.log This log file records the success or failure (with failure reason) of installing the System Health Validator point.