Microsoft KB Archive/919468

= New Warning event message that occurs in ISA Server 2004 SP3 to notify delay in logging =

Article ID: 919468

Article Last Modified on 12/4/2007

-

APPLIES TO


 * Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition

-



SUMMARY
This article discusses the following new Warning event message that occurs in Microsoft Internet Security and Acceleration (ISA) Server 2004 Service Pack 3 (SP3):

Writing to the log took approximately %1 seconds. If this time exceeds 30 seconds, logging may fail and ISA Server may go into lockdown mode. For a workaround, see KB 919468.



MORE INFORMATION
ISA Server 2004 enforces the lockdown mode of operation if writing to the log files takes more than thirty seconds. ISA Server 2004 SP3 includes a new event message to notify the administrator before logging fails. For more information about ISA server lockdown mode of operation, click the following article number to view the article in the Microsoft Knowledge Base:

838711 Lockdown mode of operation in ISA Server 2006 or in ISA Server 2004

The new Warning event message is displayed if writing to the log files takes more than the time-out period. This helps administrator take preventive action before the ISA Server enforces the lockdown mode of operation.

Methods to prevent lockdown mode
Administrators can use the following methods to prevent an ISA Server from enforcing the lockdown mode of operation.

Method 1
Use Disk Defragmenter to consolidate fragmented files and folders. To do this, follow these steps:
 * 1) Click Start, point to All Programs, point to Accessories, point to System Tools, and then click Disk Defragmenter.
 * 2) Click the volume where you store the log files, and then click Analyze.
 * 3) Click Defragment if the Disk Defragmenter suggests defragmenting the volume.
 * 4) Verify disk performance.

Notes
 * To avoid long commits, you must frequently defragment the disks where you store ISA log files.
 * For reliability and better performance, use RAID volumes

Method 2
If you are using Microsoft SQL Server for logging, modify the file growth size or the file growth percentage for the SQL database.

For more information about how to modify file growth size, visit the following Microsoft Web site:

http://msdn2.microsoft.com/en-us/library/aa275464(SQL.80).aspx

You can use the following SQL script to modify the file growth size.

Use master Alter database  MODIFY FILE (, FILEGROWTH=)

Note In the script example, the text that is enclosed in angle brackets (<>) are placeholders. In the script example,  is specified in megabytes (MB) or as a percentage of file size. The default value is 75 MB.

Method 3
Make sure that the firewall log directory and the Web proxy log directory are on different disks. To do this, follow these steps:
 * 1) In the ISA Server 2004 MMC snap-in, click Monitoring.
 * 2) In the Details pane, click the Logging tab.
 * 3) On the Tasks tab, click Configure Firewall Logging.
 * 4) On the Log tab, click the appropriate Log storage format, and then click Options.
 * 5) In the Store the log file in box, note the path of the folder where firewall logs are stored.
 * 6) Under Log file storage limits, make appropriate changes to reduce the log file size.
 * 7) Click OK, and then click Apply.
 * 8) On the Tasks tab, click Web Proxy Logging.
 * 9) On the Log tab, click the appropriate log storage format, and then click Options.
 * 10) Make sure that the path that you noted in step 5 is not the same path that is listed for Web proxy logging.

Note Make sure that the Web proxy logs are stored to a different disk.
 * 1) Under Log file storage limits, make appropriate changes to reduce the log file size.
 * 2) Click OK, and then click Apply.

Method 4
Restrict the number of fields that are included in the log. To do this, follow these steps:
 * 1) In the ISA Server 2004 MMC snap-in, click Monitoring.
 * 2) In the Details pane, click the Logging tab.
 * 3) On the Tasks tab, click Configure Firewall Logging.
 * 4) On the Fields tab, select only the fields that you want, click Apply, and then click OK.
 * 5) Repeat step 2 through step 4 for Web Proxy Logging.

Method 5
Define rules to decrease the number of lines that are logged. To do this, follow these steps:
 * 1) You can define the following rules at the beginning of the firewall policy:
 * 2) * Deny probable malicious traffic to the firewall itself, and log these tries. For example, deny the following types of probable malicious traffic:
 * 3) ** Telnet
 * 4) ** FTP
 * 5) * Deny any other traffic to the firewall computer itself, and do not log the activity.
 * 6) You can define the following rules at the end of the firewall policy:
 * 7) * Deny high-load traffic that is not defined as dangerous, and do not log the activity. For example, deny the following types of high-load traffic:
 * 8) ** NetBios
 * 9) ** RIP
 * 10) ** OSPF
 * 11) ** DHCP
 * 12) * Deny any other traffic with logging enabled.

Note These rules help the ISA server log activities that are required. Additionally, these rules help administrators troubleshoot issues.

How to set the time-out period
To set the time-out period for the raising of the Warning event message, run the following Microsoft Visual Basic script. To do this, follow these steps:  Start Notepad.  Copy the following script into a new text file. Const SE_VPS_GUID = &quot;{143F5698-103B-12D4-FF34-1F34767DEabc}&quot; Const SE_VPS_NAME = &quot;FireLongLogCommitAfterThisAmountOfSeconds&quot; Const SE_VPS_VALUE = 15

Sub SetValue

' Create the root obect. Dim root ' The FPCLib.FPC root object Set root = CreateObject(&quot;FPC.Root&quot;)

'Declare the other objects needed. Dim array      ' An FPCArray object Dim VendorSets ' An FPCVendorParametersSets collection Dim VendorSet  ' An FPCVendorParametersSet object

' Get references to the array object ' and the network rules collection. Set array = root.GetContainingArray Set VendorSets = array.VendorParametersSets

On Error Resume Next Set VendorSet = VendorSets.Item( SE_VPS_GUID )

If Err.Number <> 0 Then Err.Clear

' Add the item Set VendorSet = VendorSets.Add( SE_VPS_GUID ) CheckError WScript.Echo &quot;New VendorSet added... &quot; & VendorSet.Name

Else WScript.Echo &quot;Existing VendorSet found... value- &quot; & VendorSet.Value(SE_VPS_NAME) End If

if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then

Err.Clear VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE

If Err.Number <> 0 Then CheckError Else VendorSets.Save false, true CheckError

If Err.Number = 0 Then WScript.Echo &quot;Done with &quot; & SE_VPS_NAME & &quot;, saved!&quot; End If       End If    Else WScript.Echo &quot;Done with &quot; & SE_VPS_NAME & &quot;, no change!&quot; End If

End Sub

Sub CheckError

If Err.Number <> 0 Then WScript.Echo &quot;An error occurred: 0x&quot; & Hex(Err.Number) & &quot; &quot; & Err.Description Err.Clear End If

End Sub

SetValue Note This script uses the default value of 15 seconds. Change the SE_VPS_VALUE value that is set in the script to an appropriate value.  Save the file by using the following file name:

FireLongLogcommitAfterThisAmountOfSecontds.vbs

 Double-click the file that you saved in step 3 to run the script.

Keywords: kbinfo kbtshoot kbexpertiseadvanced KB919468

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.