Logs


ISA Server creates logs to gather all activity that takes place with the firewall service, Web proxy service, and SMTP message screener. These logs are the source of the reports generated in the next section entitled "Reports," and you can use them for further analysis and troubleshooting. Table 6-4 illustrates the log types available in ISA Server and points out the supported log formats for each.

Table 6-4: ISA Server Log Types
Open table as spreadsheet

Log Type

Description

Supported Log Formats

Firewall Logging

Log details from the Microsoft Firewall service.

SQL, MSDE, File

Web Proxy Logging

Log details from the Web proxy service.

SQL, MSDE, File

SMTP Message Screener Logging

Log details from the SMTP Message Screener.

File

Configuring Logging to an SQL Server Database

Logging to a database adds extra flexibility, especially for administrators managing ISA Server in a large enterprise environment. If you centrally store all the log file data from one or more ISA servers into a single database, such as Microsoft SQL Server, you greatly improve your ability to quickly query information you need to discover.

If you log to a separate SQL Server computer, the ISA Server performance will degrade, as every request must be logged, so plan your network capacity accordingly. The internal network adapter might become congested, and in high-traffic situations the ISA server can stop logging, and therefore will stop servicing clients.

Use MSDE to log with ISA Server to maximize performance. If you do connect to an SQL Server computer, be sure that network capacity between the ISA server and SQL Server computer is 100 Mbps for up to three array members, and 1 GB for more than four array members.

To configure logging to a SQL database, follow these steps:

  1. Open the ISA Server Management console.

  2. In the console tree, click the Monitoring node.

  3. In the details pane, click the Logging tab.

  4. In the task pane, under Logging Tasks, click Configure Firewall Logging. Whether you are configuring firewall logging, Web proxy logging, or SMTP message screener logging, the following steps are consistent and Figure 6-6 is identical.

  5. In the Firewall Logging Properties dialog box, on the Log tab, select SQL Database as shown in Figure 6-6.

    Note 

    The ODBC logging option is only available with ISA Server 2004 Standard Edition; Enterprise Edition replaces ODBC with the improved SQL logging layer. The ODBC option will most likely not be available in future versions of ISA Server.

  6. In the ODBC Data Source Name (DSN) DSNtext box, type the name of the DSN.

  7. In the Table Name text box, type the name of your table.

  8. Click Set Account, type the user name and password of an account with permissions to write to the database, and click OK.

    Note 

    If your logging configuration isn't working, check your System Policies. You may need to update the Remote Logging configuration group in the System Policy.

  9. Click Apply to save the changes, and then click OK.

    This process covers only the simplest configuration—if you run into any problems, see the additional configuration and troubleshooting articles referenced in the appendix at the end of this book.

image from book
Figure 6-6: Logging to an SQL database requires a predefined ODBC Data Source Name (DSN), a data table, and an account with appropriate permissions.

Configuring Logging to MSDE

New to ISA Server 2004 logging is the ability to log to the Microsoft Desktop Engine (MSDE 2000). Firewall and Web proxy logging use this logging configuration by default. It is beneficial for those who prefer not to log to a file, but who do not have a SQL server available for this purpose. MSDE databases can grow no larger than 2 GB in size. If the log data begins to exceed 2 GB, ISA Server automatically creates a new database.

Of course, ISA Server creates a new database file every day in any case. ISA Server's log viewer can see data from more than one database, but if you pull information using third-party tools, you'll need to address consolidating data from multiple logs.

To log to an MSDE database, complete the following steps:

  1. Open the ISA Server Management console.

  2. In the console tree, click the Monitoring node.

  3. In the details pane, click the Logging tab.

  4. In the task pane, under Logging Tasks, click Configure Firewall Logging.

  5. In the Firewall Logging Properties dialog box, on the Log tab, select MSDE Database, and then click OK.

  6. Click Apply to save the changes, and then click OK.

    If you try to connect to the MSDE instance on the ISA Server computer from a remote Enterprise Manager console, you won't have any luck because only local connections are allowed. You can only connect from the Enterprise Manager installed on the ISA Server computer itself.

Configuring Logging to a File

Logging to a file carries similar characteristics to logging to a MSDE database. A log file cannot exceed 2 GB in size, and if the 2 GB limit is reached, ISA Server creates a new log file.

Note 

Regardless of size, ISA Server creates a new log file daily.

The SMTP Message Screener logs can only be stored in the file format.

To configure logging to a file, complete these steps:

  1. Open the ISA Server Management console.

  2. In the console tree, click the Monitoring node.

  3. In the details pane, click the Logging tab.

  4. In the task pane, under Logging Tasks, click Configure Firewall Logging.

  5. In the Firewall Logging Properties dialog box, on the Log tab, select File, select the logging format you desire, and then click OK.

    Note 

    The WC3 Extended Log File Format logs only the data that's available, uses tabs as delimiters, and uses Greenwich Mean Time (GMT) for the time format. ISA Server File Format logs all information, uses a dash as a placeholder to indicate when data is unselected, uses commas as delimiters, and uses the local time of the server. In Enterprise Edition you also have the options of logging in GMT.

  6. Click Apply to save the changes, and then click OK.

    Note 

    For the MSDE and File options you can select options (such as changing the log file location or changing the log fields) and configure the log file storage limits.

Filtering Logging

Log information quickly grows when using the log viewer, so to more efficiently analyze the data, you can filter the data specifically using several different conditions. To filter logging data in the viewer, follow these steps:

  1. Open the ISA Server Management console.

  2. In the console tree, click the Monitoring node.

  3. In the details pane, click the Logging tab.

  4. In the task pane, under Logging Tasks, click Edit Filter.

  5. In the Edit Filter dialog box, select the appropriate items from the Filter By and Condition drop-down lists, type the value, and click Add To List. You can insert additional filters if needed.

  6. Click Start Query to filter the logs.

    Note 

    The Online Log Viewer, in which the log time is set to Live, is available in all logging modes. The Offline Log Viewer is supported only in the MSDE and Enterprise Edition SQL modes.




Microsoft Internet Security and Acceleration ISA Server 2004 Administrator's Pocket Consultant
Microsoft Internet Security and Acceleration (ISA) Server 2004 Administrators Pocket Consultant (Pro-Administrators Pocket Consultant)
ISBN: 0735621888
EAN: 2147483647
Year: 2006
Pages: 173

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net