A log query may not return all the results that you expect in Internet Security and Acceleration Server 2004 (884493)



The information in this article applies to:

  • Microsoft Internet Security and Acceleration Server 2004, Standard Edition

SYMPTOMS

When you configure or modify a query in Microsoft Internet Security and Acceleration (ISA) Server 2004, you may not receive all the query results that you expect. For example, if you create a query that is similar to the query in the following table, you may receive the results only from the time that you start the query instead of from the start time that you defined in the query.
Filter byConditionValue
Log TimeOn or After2003.12.11 20:35:49
Client IPEquals192.168.0.55
In this scenario, the query returns only the most recent 10,000 records.

Note For more information about how to configure or to modify a query in ISA Server 2004, see the "Workaround" section.

CAUSE

This issue occurs because the ISA Server 2004 query tool has a current limitation of 10,000 results.

If a query returns more than 10,000 results, you receive the newest 10,000 results that match your query.

WORKAROUND

To work around this issue, modify your query filter to return the results in sections of 10,000 records. For example, to modify the sample query that is described in the "Symptoms" section so that it returns results from the start time that you defined in the query, configure an upper range in the query. Specifically, configure the query so that it is similar to the query in the following table.
Filter byConditionValue
Log TimeOn or After2003.12.11 20:35:49
Log TimeOn or Before2003.12.11 21:35:49
Client IPEquals192.168.0.55
Because a single query can return a maximum of 10,000 results, you must modify the filtering options in your query to limit the query to 10,000 or fewer returned results. To modify a query filter, follow these steps:
  1. Start the ISA Server Management tool. To do this, click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.
  2. Expand ServerName, where ServerName is the name of your ISA Server computer, and then click Monitoring.
  3. Click the Logging tab, and then on the Tasks tab in the right pane, click Edit Filter.
  4. Click the items in the Filter by list, in the Condition list, and in the Value list to modify the query filter.
  5. When you are finished modifying your query filter, click Add To List.

    Note If you modify an entry that is currently listed in the query filter, click Update instead of Add To List.

MORE INFORMATION

ISA Server 2004 lets you export and import your query filters. Therefore, you can create a collection of queries that you can reuse. To export a query filter, follow these steps:
  1. Start the ISA Server Management tool.
  2. Expand ServerName, and then click Monitoring.
  3. Click the Logging tab, and then on the Tasks tab in the right pane, click Export Filter Definitions.
  4. Locate the folder where you want to save the query filter. In the File name box, type a name for the filter definitions, and then click Save.

REFERENCES

For additional information about the logging feature in ISA Server 2004, see the "Logs" topic in ISA Server Help. To obtain the ISA Server 2004 Help files and other ISA Server 2004 documentation, visit the following Microsoft Web site: For additional information about how to configure ISA Server, visit the following ISAserver.org Web site: Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information. The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.

Modification Type:MinorLast Reviewed:10/5/2004
Keywords:kbFirewall kbtshoot kbprb KB884493 kbAudITPRO