Using Monitoring, Alerting, Logging, and Reporting Functions

In this section, we discuss how you can monitor ISA Server alerts and logging and generate reports using the ISA Management Console.

Creating, Configuring, and Monitoring Alerts

ISA Server allows real-time monitoring of all alerts that occur on any of the servers in an array. This feature is useful in troubleshooting problems and assessing activity and usage.

Viewing Alerts

You can view the alerts by selecting Monitoring | Alerts under the Server or Array object and viewing the alerts in the right detail pane, as shown in Figure 24.35.

Figure 24.35: Viewing Alerts That Occurred on the ISA Server or Array

You will see, displayed in the detail pane, the server on which each event occurred, the alert type, the date and time of first occurrence, and a description of the event. Remember that this is where you view the alerts; they are configured using the Alerts object under the Monitoring Configuration object, further down in the tree.

Creating and Configuring Alerts

To create and configure a new alert, right-click the Monitoring Configuration | Alerts object, and select New | Alert. The New Alert Wizard will ask you for the following information:

• A name for the new alert

• An event or condition that will trigger the alert

• An action to be performed when the alert is triggered

Trigger Events

You can select from the following events to trigger the alert:

• Alert action failure

• Cache container initialization error

• Cache container recovery complete

• Cache file resize failure

• Cache initialization failure

• Cache restoration completed

• Cache write error

• Cached object ignored

• Client/server communication failure

• Component load failure

• Configuration error

• Dial-on-demand failure

• DNS intrusion

• Event log failure

• Intrusion detected

• Invalid dial-on-demand credentials

• Invalid ODBC log credentials

• IP packet dropped

• IP protocol violation

• IP spoofing

• Log failure

• Missing installation component

• Network configuration changed

• No available ports

• Operating system component conflict

• Oversize UDP packet

• POP intrusion

• Report summary generalization failure

• Resource allocation failure

• Routing (chaining) recovery

• Routing (chaining) failure

• RPC filter—connectivity changed

• Server publishing failure

• Server publishing recovery

• Service initialization failure

• Service not responding

• Service shutdown

• Service started

• SMTP filter event

• SOCKS configuration failure

• The server is not in the array's site

• Unregistered event

• Upstream chaining credentials

• WMT live stream-splitting failure

Additional Conditions

Some of these event triggers allow you to select an additional condition. For example, if you select intrusion detection as the event that will trigger the alert, you will also be asked to select whether the alert will be triggered by any intrusion or by a specific intrusion type (see Figure 24.36).

Figure 24.36: Some Events Allow You to Specify Additional Conditions to Trigger the Alert

The ISA Server's alert service acts as an event filter, recognizing when events occur, determining whether configured conditions are met, and seeing that the chosen action(s) occurs in response.

Note

You can configure the alert for the entire array, or you can limit the event to a specific server in the array.

Once configured, you can enable or disable an alert by checking or unchecking the Enable check box on the General tab of its Properties sheet. To do so, you can right-click the alert name in the detail pane when you have selected Alerts under Monitoring Configuration, and choose Properties in the right context menu.

Additional Configuration Specifications

You can also specify the following:

• Event frequency threshold (how many times per second the event must occur in order to issue an alert)

• Number of events that must occur in order to issue an alert

• Length of time to wait before issuing an alert a second or subsequent time

To set these specifications, right-click the alert you want to configure, and select Properties, then select the Events tab.

Actions to Be Performed When an Alert Is Triggered

You can choose from the following actions to be performed when a triggering event occurs and the conditions are met for issuing an alert:

• Send an e-mail message

• Run a program

• Report the event to a Windows event log

• Stop selected ISA Server services

• Start selected ISA Server services

You can select one or more of these actions, as shown in Figure 24.37.

Figure 24.37: You Must Select at Least One Action to Be Performed When an Alert Is Triggered

If you elect to send an e-mail message, you will be prompted to provide addressing information for sending the e-mail message, including the SMTP server and the From, To, and CC fields. You can send e-mail to multiple recipients by separating the addresses with semicolons in the To or CC field.

Note

If you want to send an e-mail message to a client using an external SMTP server (outside the local network) by specifying an external IP address, you need to create a static packet filter to allow the SMTP protocol. Another way to send a message to an external mailbox is to specify the internal IP address of an SMTP server on the local network that is capable of relaying to an external address.

If you elect to run a program, you will be prompted to enter the path to the program you want to run. You also need to specify whether the credentials of the Local System account or a different user account should be used. If you choose the latter, you must enter the user account name and password. Otherwise, you must run the program in the context of the system account.

If you elect to stop or start selected ISA Server services, you will be prompted to select the services that should be stopped or started. You can choose from one or more of the following: the firewall service, the scheduled content download, or the Web proxy service.

Refreshing the Display

The Alerts display is automatically refreshed on a periodic basis by default. (You will see the screen flicker when the display is updated.) You can force an immediate refresh or control the refresh rate by right-clicking the Alerts object under Monitoring. Select Refresh to immediately refresh the display, or select Refresh Rate to change the rate at which the display is updated. You can choose a high, normal, or low refresh rate. By default, this setting is Normal.

You can also elect to Pause the refresh if you do not want the display to be updated.

Event Messages

A number of event messages are related to ISA Server alerts. For example, message ID 14033 indicates that alert notification did not start and alerts are limited to event reporting. You will be advised to restart the ISA Server Control Service and to restart the firewall and Web proxy services because they are dependent on the Control Service.

A full listing of ISA event messages is available in the ISA Server Help files. (In the Help Index, search for Alerts, Alert event messages (list)).

Monitoring Sessions

You can view the sessions that are active by selecting the Sessions object in the left console pane of the ISA MMC; information about current sessions will appear in the right detail pane, as shown in Figure 24.38.

Figure 24.38: View the Current Active Sessions in the Right Detail Pane of the ISA MMC

The Sessions display can be refreshed or the refresh rate set, in the same manner as that previously described for the Alerts display.

Session Information

Information available for each session includes:

• The server name

• The session type (Web or firewall)

• Username (for authenticated sessions; SecureNAT sessions are displayed as firewall sessions, with no username shown)

• Client computer (computer name for authenticated sessions or IP address for SecureNAT sessions)

• Client address

• Date and time of activation

Note

Web proxy sessions show the last minute of Web browser activity, even if the client is not browsing at the time you view the display.

Firewall sessions could be listed, even if no firewall clients are actually connected. The reason for this is that ISA shows a publishing server that is currently being published as a firewall session.

Disconnecting Sessions

You can disconnect a client session via the ISA Management Console. First, you must ensure that the Advanced option is checked in the View menu (by default, it is not).

To disconnect a session, right-click the session in the detail pane, and then from the right context menu, select Abort Session. This action disconnects the selected session, with no warning or notification to the client.

Using Logging

You can configure and generate logs in standard data formats for the following ISA Server components:

• Packet filters

• Firewall service

• Web proxy service

When your ISA servers belong to an array, logging is configured for the entire array, but log files are created on every ISA server that is a member of the array. The logs can be created on a daily, weekly, monthly, or yearly basis and saved to a file or logged directly to a database.

Firewall logging is critical if you are trying to establish any patterns of a break-in. For example, you can log access to who's trying to come in from the outside to your DMZ or even just scan your network. Moreover, some IT departments are more draconian than others—they not only care about who's coming in from the outside; but also, where people on the outside are going to (porn sites, and so forth).

Logging to a File

You can save ISA log data to a file in a directory that you specify. The files can be opened in a text editor or imported to a spreadsheet or database program.

Specifying a Log File Directory Location

There are two ways in which you can specify the directory to which the log file should be saved.

• Save to a relative path If you specify a relative path, the log will be saved in a folder named ISALogs in the ISA Server installation folder, which, by default, is named Microsoft ISA Server and is placed in the Program Files directory on the boot partition (the partition containing the system root folder in which the Windows 2000 operating system files reside, normally named WINNT).

• Save to an absolute path If you specify an absolute (full) path, that path must exist on every server that belongs to the array. If it does not, the ISA Server services will fail.

Selecting a Log File Format

When you choose to save ISA logs to a file, you can select one of the following formats:

• W3C Tab-delimited file that includes, along with the data itself, directives that describe the version, date, and logged fields (date and time are shown in GMT rather than local time). Unselected fields are not logged.

• ISA Comma-delimited file that contains only data. No directives are included, and all fields are always logged (unselected fields contain a dash to flag them as empty). Note that date and time in ISA format are shown in local time.

  Note

  Log files can be compressed to save disk space if they are saved on an NTFS-formatted partition. Microsoft recommends that you always store log files on an NTFS partition, which also allows you to configure NTFS permissions for the files.

Logging to a Database

A second way to save ISA log data is to log it to an Open Database Connectivity (ODBC) database. OBDC is a programming interface that allows various programs to access the data in systems using Structured Query Language (SQL). Programs use SQL to obtain information from or update information in a database, using command (query) language that allows users to locate, access, and insert data.

Database programs such as Access, dBase, and FoxPro support ODBC, and ODBC connectivity is provided by "back-end" client/server database solutions such as Microsoft SQL Server and Oracle.

In the context of this book, ODBC is a means for providing access, from an ODBC-compliant application such as Excel, to any data that is stored in an ODBC-compliant database server, such as SQL Server. The ODBC driver translates the application's queries into commands that can be understood by the target database application.

You can find a wealth of information about ODBC at the Microsoft Universal Data Access Web site at www.eu.microsoft.com/data/.

Note

Logging to a database is unnecessary when you have SQL's Data Transformation Services (DTS) to move the data from the log files into database tables on a scheduled, automated basis. Logging to a database is not the best practice from a performance standpoint.

Using Scripts

Several sample scripts are included with ISA Server; you can use these scripts as templates to create log databases. Scripts for logging to a SQL database file are contained in the \ISA folder on the ISA Server CD-ROM. The script files include the following:

• Pf.sql Used to define the packet filter log table (PacketFilterLog).

• W3proxy.sql Used to define the Web proxy service log table (WebProxyLog).

• Fwsrv.sql Used to define the firewall service log table (FirewallLog).

Configuring ISA Server for Database Logging

After you create the log table(s), follow these steps to configure the ISA server to use the data source name:

1. Select Start | Programs | Administrative Tools | Data Sources (ODBC) on the ISA server.

2. Select the System DSN tab. It is important to select the correct DSN, because choosing the wrong data source is a common mistake.

3. Click the Add button.

4. Select the applicable database driver in the Create New Data Source dialog box (for example, the Microsoft Access driver selected in Figure 24.39). You will be prompted for information needed to create the database.

   
   Figure 24.39: Install the Appropriate ODBC Driver to Set Up a Data Source

You will be required to enter a data source name, or DSN. Note that you cannot use spaces in the name. If you do so, the ISA Server services will stop.

Configuring Logging

To configure logging to either a file or a database, select Logs under the Monitoring Configuration object in the left console pane of the ISA MMC. The three ISA components for which logs can be generated (packet filters, firewall service, and Web proxy service) will appear in the right detail pane. Right-click the service for which you want to log data, and select Properties. You can configure logging using the Properties sheet, as shown in Figure 24.40.

Figure 24.40: Logging Is Configured Via the Properties Sheet for the Service for Which Data Will Be Logged

Select whether to log to a file or a database, and then configure the parameters for the selected option. If you log to an ODBC database, you need to set the user account and password to be used, and these must have the appropriate permissions.

Logging Options

If you log to a file, you can access the Options configuration sheet by clicking the Options button. This allows you to specify the following:

• Log file location The default location is the ISALogs folder in the ISA Server installation folder, but you can type in the path or browse to another folder in which you want to save the log file.

• Compress log files Compression is enabled by default.

• Limit the number of log files The default is 7, but you can enter any number up to 999,999,999.

Selecting Fields to Be Logged

Click the Fields tab and select the fields that should be logged by checking the appropriate check boxes. For packet filter logging, you can choose to log the fields shown in Table 24.1. For firewall service logging, you can choose to log the fields shown in Table 24.2. For Web proxy service logging, fields available are generally the same as in Table 24.2, with the exceptions of the sessionid and connectionid fields.

Table 24.1: Log Field Options: Packet Filters

Field Name	Information in Field
PFlogDate	Date
PFlogTime	Time
SourceAddress	Source IP address
DestinationAddress	Destination IP address
Protocol	Protocol
Param#1	Source port, or protocol type if ICMP
Param#2	Destination port, or protocol code if ICMP
TcpFlags	TCP flags
Interface	IP address of interface
IPHeader	Header
Payload	Payload

Table 24.2: Log Field Options: Firewall Service

Field Name	Information in Field
c-ip	Client IP address
Cs-username	Client user account name
c-agent	Client agent
Sc-authenticated	Authorization status
Date	Date
Time	Time
s-svcname	Service name
s-computername	Computer name
Cs-referred	Referring server name
r-host	Destination host name
r-ip	Destination IP address
r-port	Destination port
Time-taken	Processing time
Cs-bytes	Number of bytes sent
Sc-bytes	Number of bytes received
Cs-protocol	Protocol name
Cs-transport	Transport used
s-operation	Operation
Cs-uri	Object name
Cs-mime-type	Object MIME
s-object-source	Object source
Sc-status	Result code
s-cache-info	Cache information
Rule#1	Rule #1
Rule#2	Rule #2
Sessionid	Session identification
Connectionid	Connection identification

Generating Reports

ISA Server's report functionality allows administrators to use the information recorded in the log files to create summary databases and combine relevant summary databases into a single report database. All of these databases are stored on the ISA server's hard disk. Reports can be generated on a periodic basis and saved to a specified folder.

Note

When you generate a report on an ISA server, it can be read only on that same computer. You cannot view it from another ISA Server computer's management console, even if the other server is in the same array.

Creating Report Jobs

You can create a report job by right-clicking Report Jobs under the Monitoring Configuration object, selecting New, and then selecting Report Job. This sequence displays the Report Job Properties sheet, shown in Figure 24.41.

Figure 24.41: A Name and Description for the Report Job Are Specified Via the General Tab

Configuring General Properties

On the General tab of the Properties sheet, you must specify a name for the report job. The default name is Report Job. The name must be unique; if it is not, you will receive a message from the ISA Report Generator informing you that the name already exists, and you will not be allowed to create the report job until you choose a new name. You can also provide a description of the job; this field is optional.

The report job is enabled by default when you create it. You can disable it later by accessing the Properties sheet (right-click on the report job name in the right detail pane) and unchecking the Enabled check box.

Note

The check box shown here enables reporting. You must also ensure that logging is enabled for the relevant ISA component(s), or there will be no meaningful data from which a report can be generated. A report job can still be created and a report will be generated, but it will contain no current data.

Configuring the Reporting Period

You can elect to have a report generated on a daily, weekly, monthly, or yearly basis or for a custom period. First, select a reporting period on the Period tab of the Properties sheet, shown in Figure 24.42. You also need to configure the Schedule tab, as shown in the next section, if you want the report to be generated on a recurring basis.

Figure 24.42: Configure the Reporting Interval by Selecting the Period Tab on the Properties Sheet

The report period configuration determines the period each report covers. The Daily option generates a report that covers the previous day's activity, the Weekly option covers the previous week's activity, and so forth. When you select the Custom option, you are prompted to choose a starting and ending date from a drop-down calendar.

Configuring the Reporting Schedule

Using the Schedule tab of the Properties sheet, you can specify when report generation should begin. By default, it is set to begin immediately on successful creation of the report job, but you can select a specific date and time using the drop-down boxes, as shown in Figure 24.43.

Figure 24.43: The Schedule Tab Allows You to Set a Start Time and a Recurrence Pattern

The Schedule tab is also used to specify the recurrence pattern for report generation. You can elect to have the report generated only one time or to recur every day, on specified days, or once per month on a specific day of the month.

Configuring Report Job Credentials

You need to supply a username and password to run the report job. The user account must have permission to access report information for the server(s) relevant to the report job. You can create a report job on a local stand-alone ISA server without providing credentials. However, if you attempt to do so on a remote server or array, you will receive the message box shown in Figure 24.44, notifying you that you must provide credentials to run the job.

Figure 24.44: You Must Provide the Appropriate Credentials to Run a Report Job on a Report Computer or Array

To provide credentials for running the report job, enter the user account name (or browse for it in the Directory by clicking the Browse button), the domain name to which the user account belongs, and the password on the Credentials tab of the Properties box shown in Figure 24.45.

Figure 24.45: Enter a User Account Name, Domain, and Password to Run the Report Job

Note

The user account must have the proper permissions to run reports. By default, Domain Administrators have this permission, as does any user who is a member of the local Administrators group on every ISA server computer in the array.

Viewing Report Job Information

Once the report jobs have been created, they appear in the right detail pane when you select the Report Jobs folder, as shown in Figure 24.46.

Figure 24.46: Information about Each Configured Report Job Appears in the Right Detail Pane

The following information about each report job will be displayed:

• The name of the job

• The scheduled start date and time

• The next run time (if it is a recurring job)

• The ready status

• The result of the last attempt to run the job

Note

When you select a start time other than "Immediately" on the Schedule tab of the Properties sheet, the time is shown in 24-hour clock format. However, in the detail pane, that information is shown in AM/PM format. Thus, if you choose 19:00 as the start time on the Schedule tab, it will be displayed in the detail pane as 7:00 PM.

You can go back and change the configuration properties of a report job by double-clicking it (or right-clicking it and selecting Properties) and accessing its Properties sheet.

Viewing Generated Reports

The reports themselves are accessed via the Reports folder under the Monitoring object near the top of the left console tree, as shown in Figure 24.47.

Figure 24.47: The Reports That Have Been Generated Are Accessed from the Reports Folder

Note that all reports appear in the right detail pane when you select the Reports folder. You also see five categories of predefined reports sorted into the following folders:

• Summary reports

• Web usage reports

• Application usage reports

• Traffic and utilization reports

• Security reports

Reports are displayed in the Web browser and can be saved as .HTM (Web page) files. Let's take a look at what each of these includes.

Summary Reports

The summary reports network usage data that is sorted according to application. Network administrators can use these reports to plan or evaluate Internet connectivity issues. An example of a summary report for an array is shown in Figure 24.48.

Figure 24.48: Summary Reports Include Data from the Web Proxy and Firewall Service Logs Pertaining to Network Usage

The information in the summary reports combines data collected from both the Web proxy service and firewall service logs. Logging for these services must be enabled to generate a meaningful summary report.

Web Usage Reports

Web usage reports use the Web proxy service logs to provide information about the following:

• Top Web users

• Web sites that have generated the greatest amount of traffic

• Protocols used for Web traffic

• Responses to HTTP requests (success, authorization failure, object not found, object moved, and other)

• Types of objects delivered by the ISA server (.DDL files, .HTML files, .EXE files, etc.)

• Web browser types used to connect to the Internet through the ISA server (browser name and version number)

• Operating systems used to access the Internet through ISA Server (Windows 2000, Windows NT 4.0, Windows 98, etc.)

An example of a Web usage report is shown in Figure 24.49.

Figure 24.49: Web Usage Reports Contain Information Collected from the Web Proxy Service Log Files

The Web usage reports can be used to evaluate how the Web is used in your organization, which could be useful to network administrators in planning for Internet connectivity and capacity and for managers setting policies to govern use of the Web.

Application Usage Reports

Application usage reports are based on the information collected by firewall service logging. The following information is provided:

• Communications protocols used for network traffic going through the ISA server

• Top application users (by IP address)

• Client applications that have generated the largest amount of network traffic during the report period

• Operating systems used on computers that have accessed the Internet

• Top destination computers (by IP address) with which internal users have communicated through the ISA server

An example of an application usage report is shown in Figure 24.50.

Figure 24.50: Application Usage Reports Are Based on Information Collected in the Firewall Service Logs

Application usage reports can help you plan for network and bandwidth capacity and determine the external network destinations that are creating the greatest amount of network traffic.

Traffic and Utilization Reports

The traffic and utilization reports use data from both the Web proxy and the firewall service logs to provide information such as the following:

• Communication protocols used

• Summary of traffic going through the ISA server, by date

• Cache performance data, showing the objects returned from the Internet, objects returned from cache with verification, objects returned from cache after verification that they had not changed, and objects returned from the Internet to update a file in cache

• Information on the peak number of simultaneous connections each day

• Information on the average request processing time each day

• Chart summarizing average network traffic flow through the ISA server each day

• Errors reported by ISA Server in attempting to communicate with other computers, broken into Web proxy and firewall service error categories

An example of a traffic and utilization report is shown in Figure 24.51.

Figure 24.51: The Traffic and Utilization Reports Combine Information from the Web Proxy and Firewall Service Logs

The traffic and utilization report information is useful for monitoring network capacity and planning bandwidth policies.

Security Reports

The security reports, as the name implies, provides information related to possible breaches of network security. Security reports use information from the Web proxy and firewall service logs as well as the packet filter log files. An example of a security report is shown in Figure 24.52.

Figure 24.52: Security Reports Can List Authorization Failures and Other Security-Related Events Recorded in the Web Proxy Service, Firewall Service, and Packet Filter Logs

The security report shown in Figure 24.52 lists instances in which users or computers failed to authenticate to the ISA server and users for whom network packets were dropped.

Configuring Sort Order for Report Data

You can determine the order in which report data is sorted by right-clicking the report type (Summary, Web Usage, Application Usage, Traffic & Utilization, and Security) in the left console pane under Reports and selecting Properties from the context menu. On the Properties sheet shown in Figure 24.53, you can select the option that you want to use to sort the report data.

Figure 24.53: Select the Option to Use to Sort Report Data in the Report Type Properties Sheet

On the Top Users tab, you can select from the following: Requests, Bytes In, Bytes Out, or Total Bytes. On the Top Web Sites tab, you can sort by the same four options, and you have a fifth option: Users. On the Cache Hit Ratio tab, you have only two options for sorting order: Requests and Bytes.

After you configure the sort order, the data in the report will be sorted according to your criteria the next time you view the report.

Saving Reports

You can save reports in one of two file formats for later viewing or to a removable disk to be viewed on another machine.

• Saving Reports in .HTM format Reports can be saved as hypertext document files (.HTM) by selecting the report type under Reports in Monitoring in the left console pane, right-clicking the report name, and selecting Save as in the context menu.

• Saving Reports in .XLS format You can save a report as an Excel spreadsheet file (.XLS) by selecting Reports and right-clicking the report name in the right console pane, then selecting Save as.

• Providing Information for Saving Reports To save as .HTM, you access the report from the applicable report type folder; to save as .XLS, you access the report from the Reports folder. Either way, you will be asked to select a location in which to save the file and to enter a filename (the default filename is the name of the report displayed in the right detail pane).

  Note

  In order to save the report in .XLS format, you must have Excel installed on the ISA server computer. Otherwise, this option will not appear as an option.

Configuring the Location for Saving the Summary Database

You can specify the location in which the daily and monthly summaries database is to be stored. Right-click Report Jobs in the left console pane under Monitoring Configuration, and select Properties in the right context menu. On the Log Summaries tab, shown in Figure 24.54, check the box to enable daily and monthly summaries.

Figure 24.54: Set a Location for Saving Daily and Monthly Summaries, and Specify the Number of Each That Should Be Saved

You can set the location for saving the summary database. You have two options:

• Save the summaries in the ISA Summaries subdirectory, in the directory to which ISA Server is installed on the local computer (this is the default).

• Save the summaries in a different location by choosing Other folder and typing a path or browsing for a folder by clicking the Browse button.

You can also specify how many daily summaries and how many monthly summaries are to be saved. You can specify a minimum of 35 and a maximum of 999 daily summaries, and a minimum of 13 and a maximum of 999 monthly summaries. Summary files are saved with the .ILS extension (see Figure 24.55).

Figure 24.55: Summary Files Are Saved by Default in the ISA Summaries Folder with an .ILS File Extension

Note

The ISALogs, ISAReports, and ISASummaries directories are located on each server in the array in the Microsoft ISA Server installation folder.