Most of the monitoring and logging functionality in ISA Server is provided in the Monitoring node of the Console tree, as shown in Figure 19.1.
Figure 19.1. Viewing the ISA Monitoring node.
This node is the jumping-off point for the individual ISA monitoring and logging activities, and includes tabs in the Details pane for activities such as setting alerts, generating reports, monitoring sessions and services, and logging traffic. Before delving into the capabilities of each of these tools, it is important to properly set up the ISA Server Monitoring environment, using a best practice approach.
Delegating ISA Monitoring Settings
In addition to the ISA Full Administrator, ISA Server 2004 also provides for unique roles that provide for unique monitoring capabilities. These roles are as follows:
If administration of the monitoring aspect of ISA Server is required, then it becomes necessary to delegate these roles to individual users or, preferably, groups. To delegate control of ISA extended monitoring to a group, for example, follow these steps:
Understanding the ISA Advanced Logging Service
ISA Server 2004 logging is comprised of three unique types of logs as follows:
Each one of these logging services is independently controlled and can be enabled and configured differently.
In general, it is best practice to configure ISA logs to reside on a separate logical drive from the operating system, but it is not required. There is no effective performance increase from having them on a separate physical drive.
The logs themselves can be stored in three unique formats, as shown in Figure 19.3 and listed as follows:
Figure 19.3. Exploring ISA logging options.
For the most advanced logging, either the MSDE or the SQL database logging component must be configured properly.
Installing the ISA Advanced Logging Service
If not already installed on an ISA Server (it is one of the default installation options), ISA Server 2004 advanced logging can be set up via the Add/Remove programs process on an ISA Server. Simply insert the ISA media and perform the following process:
Configuring Firewall Logging
Firewall logging can be enabled and configured on the ISA Server through the Logging tab in the Details pane of the ISA Monitoring Node. For example, the following step-by-step procedure enables ISA Firewall Logging to write up to 10GB of firewall logs to the D:\drive, and to enable logging of all potential fields.
Configuring Web Proxy Logging
Web Proxy logging is very similar to Windows Firewall logging, but deals specifically with logging requests made from Web Proxy clients, whereas the firewall logs deal with SecureNAT clients. The same options exist for configuring Web Proxy logging, and the same basic procedure applies.
Configuring SMTP Screener Logging
The SMTP Screener Logging component is unique among the three logging types in that it cannot take advantage of SQL or MSDE logging. SMTP logging with ISA Server 2004 must be done in a text file format, such as W3C format. In addition, the number of fields available to log from, shown in Figure 19.6, is much smaller than the number from the Web Proxy or Firewall logging options.
Figure 19.6. Configuring SMTP Screener Logging components.