How to configure logging in ISA Server 2004 (838241)


The information in this article applies to:

  • Microsoft Internet Security and Acceleration Server 2004, Standard Edition
For a Microsoft Internet Security and Acceleration (ISA) Server 2000 version of this article, see 302372.

SUMMARY

This article discusses how to configure logging in Microsoft Internet Security and Acceleration Server (ISA) 2004. The article includes step-by-step instructions that tell you how to do the following:

  • Enable or disable logging for a specific service
  • Configure a log request that matches a rule
  • Specify which fields to log
  • Filter the log viewer data, work with log filter definitions, and save the data
  • Log messages to an MSDE database, to an SQL database, or to a file

IN THIS TASK

INTRODUCTION

This article describes how to configure the logging features for Microsoft Internet Security and Acceleration (ISA) Server 2004.

All the tasks in this article can be performed by using ISA Server Management. To start ISA Server Management, click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.

Enable or disable logging for a specific service

  1. In the console tree of ISA Server Management, click Monitoring, and then click the Logging tab in the center pane.
  2. In the right pane, click the Tasks tab, and then click the appropriate task:
    • To configure the Firewall service log, click Configure Firewall Logging.
    • To configure the Web Proxy service log, click Configure Web Proxy Logging.
    • To configure the SMTP Message Screener service log, click Configure SMTP Message Screener Logging.
  3. On the Log tab, click to select the Enable logging for this service check box.
Note To disable logging for a specific service, click to clear the Enable logging for this service check box on the Log tab.

back to the top

Configure a log request that matches a rule

  1. In the console tree of ISA Server Management, click Firewall Policy.
  2. In the center pane, click the rule that you want to configure.
  3. In the right pane, click the Tasks tab, and then click Edit Selected Rule.
  4. On the Action tab, click to select the Log requests matching this rule check box.
Note If lots of data is being logged from a specific protocol or source, you can create a new rule that applies to that type of traffic and that does not log the requests. For example, many DHCP requests are denied if your policy does not allow DHCP requests. You can create a new access rule that denies DHCP requests but does not log the requests.

back to the top

Specify which fields to log

  1. In the console tree of ISA Server Management, click Monitoring, and then click the Logging tab in the center pane.
  2. In the right pane, click the Tasks tab, and then click the appropriate task:
    • To configure the Firewall service log, click Configure Firewall Logging.
    • To configure the Web Proxy service log, click Configure Web Proxy Logging.
    • To configure the SMTP message screener service log, click Configure SMTP Message Screener Logging.
  3. On the Fields tab, use one of the following procedures:
    • To select specific fields, click to select the appropriate check boxes.
    • To clear all the check boxes in the field list, click Clear All.
    • To select all the check boxes in the field list, click Select All.
    • To select a default set of fields in the ISA Server log file, click Restore Defaults.
back to the top

Set up the ISA Server services to log messages to an MSDE database

  1. In the console tree of ISA Server Management, click Monitoring, and then click the Logging tab in the center pane.
  2. In the right pane, click the Tasks tab, and then click the appropriate task:
    • To log the Firewall service data to an MSDE database, click Configure Firewall Logging.
    • To log the Web Proxy service data to an MSDE database, click Configure Web Proxy Logging.
  3. On the Log tab, click MSDE Database.
  4. This step is optional. Click Options to confirm the following parameters:
    • Store the log files in
    • Log file storage limits
    • Maintain log storage limits by
back to the top

Set up the ISA Server services to log messages to an SQL database

  1. In the console tree of ISA Server Management, click Monitoring, and then click the Logging tab in the center pane.
  2. In the right pane, click the Tasks tab, and then click the appropriate task:
    • To log the Firewall service data to an SQL database, click Configure Firewall Logging.
    • To log the Web Proxy service data to an SQL database, click Configure Web Proxy Logging.
  3. On the Log tab, click SQL Database.
  4. Confirm or modify the following parameters:
    • ODBC data source (DSN)
    • Table name
    • Use this account
  5. This step is optional. If you have to change the user account, click Set Account, type both the user name and the password, and then confirm the password.
Note You must enable the Allow remote Logging using NetBios transport to trusted servers system policy rule to log to an SQL database.

back to the top

Set up a computer that is running SQL Server for ISA Server logging

  1. Set up the computer that is running Microsoft SQL Server to include a database file for each ISA Server service:
    1. On the computer that is running SQL Server, start Enterprise Manager.
    2. Connect to the server that you want to host the database files.
    3. On the Tools menu, click SQL Query Analyzer.
    4. On the File menu, click Open, and then locate the following folder on the ISA Server 2004 CD:

      Drive:\ISA\FPC\Program Files\Microsoft ISA Server

    5. Open one of the following files:
      • To log the Firewall service data to an SQL database, open the Fwsrv.sql file.
      • To log the Web Proxy service data to an SQL database, open the W3proxy.sql file.
    6. Add the following lines to the top of each script:
      Go
Use <Database_name>
Go
    7. On the Query menu, click Execute.
  2. Set up SQL Server to accept the Open Database Connectivity (ODBC) data connection from the ISA Server computer. If ISA Server is not located in the same Microsoft Windows 2000 domain, you must set up a SQL Server account. To do this, follow these steps:
    1. On the computer that is running SQL Server, start Enterprise Manager, and then connect to the server that you set up to host your databases.
    2. Click Microsoft SQL Servers, click SQL Server Group, click Server_Name, click Security, and then right-click Logins.
    3. Click New Login.
    4. If you are located in the same domain as the ISA Server computer, click Windows Authentication, and then follow these steps:
      1. In the Name box, type Domain_Name\ISA_Server_Name$.
      2. On the Database Access tab, click to select the databases that this logon method can access. That is, click to select the databases that you created earlier.
    5. If you are located in a domain that is different from the domain of the ISA Server computer, you must use SQL Server Authentication. To do this, follow these steps:
      1. This step is optional. In the Name box, type a specific name that describes the logon method.
      2. Type a password for this logon method.
      3. On the Database Access tab, click the databases that this logon method can access. That is, click the databases that you created earlier.
    6. Click Change the default database, and then click the database that ISA Server will log data to.
    7. Stop and then restart the SQL Server service.
  3. Set up the ODBC data source on the ISA Server computer:
    1. Under Administrative Tools, click Data Sources (ODBC).
    2. On the System DSN tab, click Add.
    3. Click SQL Server, and then click Finish.
    4. In the Create a New Data Source to SQL Server dialog box, type a name for the data source in the Name box. Use the same name that you used for the database file.
    5. Type the name of the server that is running SQL Server, and then click Next.
    6. There are two options for database authentication. These options correspond to the account that you set up in step 2:
      • To use the ISA Server computer account for authentication, click With Windows NT authentication, and then type your domain credentials.

        Note You can use this option only in a Windows 2000 domain.
      • To use a SQL Server account for authentication, click With SQL Server authentication, and then use the credential that was established for the SQL Server account user.
    7. Follow the instructions that appear on the screen.
back to the top

Configure log storage limits

  1. In the console tree of ISA Server Management, click Monitoring, and then click the Logging tab in the center pane.
  2. In the right pane, click the Tasks tab, and then click the appropriate task:
    • To configure the Firewall log limits, click Configure Firewall Logging.
    • To configure the Web Proxy log limits, click Configure Web Proxy Logging.
  3. On the Log tab, click either File or MSDE Database to select the log storage format.
  4. Click Options.
  5. To limit the size of the logs, click Limit total log files size. In the text box, type the maximum log size that you want to use.
  6. To maintain a specified amount of free disk space on the disk where the logs are stored, click Maintain free disk space. In the text box, type the amount of free disk space that you want to maintain.
  7. If you clicked either Limit total log files size or Maintain free disk space, click one of the following:
    • To delete the oldest log files when you exceed the limits that you specified, click Deleting older log files as necessary.
    • To delete log files after a specified number of days, click Delete files older than (days). In the text box, type the number of days that you want to keep log information.

Notes

  • You cannot set log limits for SQL database logs.
  • Every 10 minutes, ISA Server checks that logs do not exceed the specified limits. Therefore, logs might exceed the limits for a maximum of 10 minutes.
back to the top

Configure logging to a file

  1. In the console tree of ISA Server Management, click Monitoring, and then click the Logging tab in the center pane.
  2. In the right pane, click the Tasks tab, and then click the appropriate task:
    • To log the Firewall service data to a file, click Configure Firewall Logging.
    • To log the Web Proxy service data to a file, click Configure Web Proxy Logging.
    • To log the SMTP message screener service to a file, click Configure SMTP Message Screener Logging.
  3. On the Log tab, click File.
  4. This step is optional. Click Options to confirm or to modify the following parameters:
    • Store the log files in
    • Log file storage limits
    • Maintain log storage limits by
    • Delete log files older than
    • Compress log files

Notes

  • Compressing the log file decreases the size of the log file and the space that the log file uses.
  • Performance may be affected when you work with NTFS-compressed files. When you read from a compressed file, Microsoft Windows automatically decompresses it. When you write to the file, Windows compresses it. This process may affect your computer's performance.
back to the top

Filter the log viewer data

  1. In the console tree of ISA Server Management, click Monitoring, and then click the Logging tab in the center pane.
  2. In the right pane, click the Tasks tab, and then click Edit Filter.
  3. Add conditions to the filter:
    1. Under Filter by, click one of the log fields.
    2. Under Condition and Value, specify the appropriate condition, and then click Add to List.
  4. Repeat step 4 to add more conditions to the filter, and then click Start Query.

Notes

  • The log viewer displays only log data if the log data matches all the expressions that are included in the filter. In other words, the effect is the same as if the expressions used the AND operator.
  • When you create the filter, you must specify exactly one Log Time and one Log Record Type.
  • To edit an expression in the filter list, click Edit Filter Properties, click the condition, and then click Update.
  • To delete an expression from the filter list, click the applicable expression under Query according to this list of expressions, and then click Remove.
  • The log viewer updates data only when the Firewall service is running. When the Firewall service is not running, ISA Server enforces lockdown mode. For more information about lockdown mode in ISA Server 2004, see the "Lockdown" topic in Help.
  • The log viewer can display information only about the Firewall log and about the Web Proxy log. The log viewer cannot display information about the SMTP Message Screener log.
back to the top

Save a log filter definition

  1. In the console tree of ISA Server Management, click Monitoring, and then click the Logging tab in the center pane.
  2. In the right pane, click the Tasks tab, and then click Save Filter Definitions.
  3. In File Name, specify the file name of the .xml file that has the filter definition, and then click Save.
back to the top

Load a log filter definition

  1. In the console tree of ISA Server Management, click Monitoring, and then click the Logging tab in the center pane.
  2. In the right pane, click the Tasks tab, and then click Load Filter Definitions.
  3. In File Name, specify the file name of the .xml file that has the filter definition, and then click Load.
back to the top

Save log viewer data

  1. In the console tree of ISA Server Management, click Monitoring, and then click the Logging tab in the center pane.
  2. On the Tasks tab, click one of the following:
    • To copy the selected data that is displayed in the log viewer, click Copy Selected Results to Clipboard.
    • To copy all the data from the log viewer, click Copy All Results to Clipboard.
Note After you copy the data to the clipboard, you can paste the text into an appropriate application for analysis.

back to the top

REFERENCES

For more information about Microsoft Internet Security and Acceleration Server 2004, visit the following Microsoft Web site:

http://www.microsoft.com/isaserver

back to the top
Modification Type:MinorLast Reviewed:11/2/2004
Keywords:kbinfo kbhowto KB838241 kbAudEndUser
©2004 Microsoft Corporation. All rights reserved.