5

The Definitive Guide to NAP Logging

Pete Rivera is the Windows Team Lead on one of our DoD support teams and we've been working
together on a NAP project. In addition to being a master of style and male fashion, Pete also puts
together some great guidance for his customers. Recently, he wrote a detailed description of all the
various logging capabilities that you might ever need to use to debug a NAP problem. Thanks, Pete!
1. NPS has various places where it does logging and/or creates a log… First off we do accounting
IAS logging of the NPS status and network connection process data in %windir
%\system32\LogFiles, but it can be configured to an alternative location. The log is:
IN<date>.log
2. Secondly we also can do SQL logging to a SQL 2k or SQL 2k5 database. This is used for
logging user authentication and accounting requests: Logs user authentication and accounting
requests in a stored procedure in a SQL Server 2000 or SQL Server2005 database. Request
logging is used primarily for connection analysis and billing purposes. It is also useful as a
security investigation tool, providing a method of tracking down the activity an attacker.

3. Likewise you can enable debug trace logging via netsh and this can be used to help provide
detailed information about the Network Policy Server operation when NAP policies are
configured: Netsh ras set tr * en
%windir%\Tracing\IASNAP.log
4. In addition this enabled a slew of other IAS/RAS related logs in the same folder (i.e.:
IASSAM.LOG, IPSEC etc ):
%windir%\Tracing\*.log
5. You also have Event Logs. These provide a lot of info about the operation of NAP and
connecting clients but is used primarily for auditing and troubleshooting connection attempts.
Depending upon your build they are either in the SYSTEM (B3) log and/or the security log (RC0).
There is also the Network Access Protection event log which you'd find on NAP clients.

6. On the client side we can enable NAP client Debug Tracing logs as well. This is enabled either
via netsh or via the NAP client Configuration snap-in. It's an ETL file which is generated only by
using logman… so you'll need to do a logman start QAgentRt -p {b0278a28-76f1-4e15-b1df-
14b209a12613} 0xFFFFFFFF 9 -o %systemroot%\tracing\nap\QAgentRt.etl –ets in order to turn
start .etl generation.

7. likewise we can also do WHSA tracing for NAP also… the trace GUID is 789e8f15-0cbf-4402-
b0ed-0e22f90fdc8d

8. DHCP QEC tracing…

Netsh dhcpclient trace enable. This command enabled QEC tracing and the trace files will be
generated at %WINDIR%\System32\LogFiles\WMI\DHCP*.*
9. EAPHost Tracing for 802.1x
Trace logs containing debugging information can assist users in finding the root causes of issues
that occur during the EAP authentication process. The debugging information can include API
calls performed, internal function calls performed, and state transitions performed. Tracing can be
enabled on both the client side and the authenticator side.
When EAPHost tracing is enabled, logging information is stored in an .etl file in a user-specified
location. Tracing generates an .etl file.
10. EAPHost Tracing for 802.1x (client side)
To enable tracing on the client side:
Run the following command: logman start trace EapHostPeer -o .\EapHostPeer.etl -p
{5F31090B-D990-4e91-B16D-46121D0255AA} 0x4000ffff 0 -ets
Run the following command: logman stop EapHostPeer -ets
 Convert the etl file into text using the following command: tracerptEapHostPeer.etl –pdb
<pdbpath> -tp <tracemessagefilesdirectorypath> -o EapHostPeer.txt
11. EAPHost Tracing for 802.1x (Authenticator side)
To enable tracing on the authenticator side:
Run the following command: logman start trace EapHostAuthr -o .\EapHostAuthr.etl -p
{F6578502-DF4E-4a67-9661-E3A2F05D1D9B} 0x4000ffff 0 -ets
Run the following command: logman stop EapHostAuthr -ets
Convert the etl file into text using the following command: tracerptEapHostAuthr.etl –pdb
<pdbpath> -tp <tracemessagefilesdirectorypath> -o EapHostAuthr.txt
12. The we have the SCCM related logging specific to the SCCM SHA and shv. The Configuration
Manager 2007 client computer log files are found, by default, in %windir%\CCM\Logs. For client
computers that are also management points, the log files are found in %ProgramFiles
%\SMS_CCM\Logs.
13. Ccmcca.log
This file logs the processing of compliance evaluation based on Configuration Manager NAP
policy processing. It also contains the processing of remediation for each software update
required for compliance.

14. locationservices.log
This log is used by other Configuration Manager features (for example, information about the
client's assigned site), but it also contains information specific to Network Access Protection when
the client is in remediation. It records the required remediation servers (management point,
software update point, and distribution points that host content required for compliance), which
are also sent in the client statement of health.

15. SMSSha.log
This is the main log file for the Configuration Manager Network Access Protection client, and it
contains a merged statement of health information from the two Configuration Manager
components: location services (LS) and the configuration compliance agent (CCA).
This log file also contains information about the interactions between the Configuration Manager
System Health Agent and the operating system NAP agent, and also between the Configuration
Manager System Health Agent and both the computer compliance agent and location services. It
provides information about whether the NAP agent successfully initialized, the statement of health
data, and the statement of health response.

16. CIAgent.log
This tracks the process of remediation and compliance. However, the software updates log file,
Updateshandler.log provides more informative details on installing the software updates required
for compliance.

17. SDMAgent.log
This log file is shared with the Configuration Manager feature desired configuration management,
and it also contains the tracking process of remediation and compliance. However, the software
updates log file, Updateshandler.log provides more informative details about installing the
software updates required for compliance.
18. On the server side for the System Health Validator point, you should first check the Windows
Application event log on the Windows Network Policy Server computer. This log will record any
failure categories and errors with the source being SMS_SYSTEM_HEALTH_VALIDATOR.
These are also raised as Configuration Manager status messages. Otherwise More detailed
logging information can be found in the Configuration Manager logs and the System Health
Validator point log files are located in %systemdrive%\SMSSHV\SMS_SHV\Logs.
 19. Ccmperf.log
This log contains information about the initialization of the System Health Validator point performance
counters.

20. SmsSHV.log
This is the main log file for the System Health Validator point. It logs the basic operations of the
System Health Validator service, such as the initialization progress.

21. SmsSHVADCacheClient.log
This log file contains information about retrieving Configuration Manager health state references from
Active Directory Domain Services.

22. SmsSHVCacheStore.log
This log file contains information about the cache store used to hold the Configuration Manager
NAP health state references retrieved from Active Directory Domain Services, such as reading
from the store and purging entries from the local cache store file.

23. SmsSHVRegistrySettings.log
This log is used to record any dynamic changes to the System Health Validator component
configuration while the service is running.
24. SmsSHVQuarValidator.log
This log file records client statement of health information and processing operations. To obtain
full information, change the registry key LogLevel from 1 to 0 in the following location:
HKLM\SOFTWARE\Microsoft\SMSSHV\Logging\@GLOBAL
25. <InstallationPath>\Logs\SMSSHVSetup.log
This log file records the success or failure (with failure reason) of installing the System Health
Validator point.