I'm wondering if there is a specific format for the "Class" attribute in Windows NPS logs.
Specifically, I'm looking at logs from Windows Server 2019 which are under %SystemRoot%\System32\LogFiles\NPS and have the filename format of INYYMMDD.log (e.g. IN230317.log).
I understand the logs for the most part, especially with help from:
Microsoft's "Interpret IAS Format Log Files" and
DEEPSOFTWARE's "List of ias attributes"
The part I'm having trouble understanding is the ID 25, which maps to Attribute "Class":
25,311 1 10.10.42.17 02/26/2023 01:41:56 10438
The IP address is the server's own and I can see a date and time but this specific log is from March 23rd, 2023. Every log line in this specific file has the same date so I suppose it could be the last time the service was started but that's just a guess.
From looking through the "Client-Vendor" attributes via the DEEPSOFTWARE site it's indicating that 311 is Microsoft, which makes sense.
While I'm writing this I looked a bit closer at the "10438" and it seems to be a unique ID for each two entries, it increases sequentially.
So perhaps I've answered my own question... except for the "1" -- does anyone know what it means? Every line seems to contain it.
