Best Windows Solutions for Aggregating NPS Server Logs?

I've had success with something similar before by using GrayLog alongside a log forwarder on my NPS servers. I used nxlog to ship logs since Windows doesn’t do that natively, but I've also seen SolarWinds offer a free event log forwarder that might give you some added benefits. GrayLog provides great features for shaping and parsing logs, but you might need to know some regex or utilize community templates to get the best out of it.

Honestly, logging on NPS has its flaws. Even if you manage to aggregate the logs into a decent SIEM, there can be many limitations, especially since NPS doesn’t log some failure types properly. If you're not using more than just a couple of NPS servers, it might be worth considering other options beyond NPS itself to enhance your setup.

You could set up an Elasticsearch instance and use the Windows versions of the 'beats' software like Packetbeat for network traffic, Filebeat for logs, and Auditbeat for handling login and IAM activities. It automates dashboard creation, which could be useful for monitoring.

Unfortunately, there’s no special tuning option for Windows event forwarding to achieve real-time logging. It's often hit-or-miss regarding reliability and speed. Like others have suggested, using tools like nxlog or the SolarWinds forwarder to ship raw NPS logs to a centralized location is effective. Just keep in mind that even with aggregation, NPS logging has limitations, especially when it comes to failure reasons. If this logging issue is a frequent occurrence across your sites and domains, it might be a sign that NPS itself is the actual bottleneck.