Microsoft KB Archive/838241

= How to configure logging in ISA Server 2004 =

Article ID: 838241

Article Last Modified on 11/2/2004

-

APPLIES TO


 * Microsoft Internet Security and Acceleration Server 2004 Standard Edition

-





For a Microsoft Internet Security and Acceleration (ISA) Server 2000 version of this article, see 302372.



SUMMARY


This article discusses how to configure logging in Microsoft Internet Security and Acceleration Server (ISA) 2004. The article includes step-by-step instructions that tell you how to do the following:


 * Enable or disable logging for a specific service
 * Configure a log request that matches a rule
 * Specify which fields to log
 * Filter the log viewer data, work with log filter definitions, and save the data
 * Log messages to an MSDE database, to an SQL database, or to a file



IN THIS TASK
 INTRODUCTION  

Enable or disable logging for a specific service

 

Configure a log request that matches a rule

 

Specify which fields to log

 

Set up the ISA Server services to log messages to an MSDE database

 

Set up the ISA Server services to log messages to an SQL database

</li> 

Set up a computer that is running SQL Server for ISA Server logging

</li> 

Configure log storage limits

</li> 

Configure logging to a file

</li> 

Filter the log viewer data

</li> 

Save a log filter definition

</li> 

Load a log filter definition

</li> 

Save the log viewer data

</li></ul> </li> REFERENCES</li></ul>

<div class="summary_section">

INTRODUCTION
This article describes how to configure the logging features for Microsoft Internet Security and Acceleration (ISA) Server 2004.

All the tasks in this article can be performed by using ISA Server Management. To start ISA Server Management, click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.

<div class="moreinformation_section">

Enable or disable logging for a specific service

 * 1) In the console tree of ISA Server Management, click Monitoring, and then click the Logging tab in the center pane.
 * 2) In the right pane, click the Tasks tab, and then click the appropriate task:
 * 3) * To configure the Firewall service log, click Configure Firewall Logging.
 * 4) * To configure the Web Proxy service log, click Configure Web Proxy Logging.
 * 5) * To configure the SMTP Message Screener service log, click Configure SMTP Message Screener Logging.
 * 6) On the Log tab, click to select the Enable logging for this service check box.

Note To disable logging for a specific service, click to clear the Enable logging for this service check box on the Log tab.

back to the top

Configure a log request that matches a rule

 * 1) In the console tree of ISA Server Management, click Firewall Policy.
 * 2) In the center pane, click the rule that you want to configure.
 * 3) In the right pane, click the Tasks tab, and then click Edit Selected Rule.
 * 4) On the Action tab, click to select the Log requests matching this rule check box.

Note If lots of data is being logged from a specific protocol or source, you can create a new rule that applies to that type of traffic and that does not log the requests. For example, many DHCP requests are denied if your policy does not allow DHCP requests. You can create a new access rule that denies DHCP requests but does not log the requests.

back to the top

Specify which fields to log

 * 1) In the console tree of ISA Server Management, click Monitoring, and then click the Logging tab in the center pane.
 * 2) In the right pane, click the Tasks tab, and then click the appropriate task:
 * 3) * To configure the Firewall service log, click Configure Firewall Logging.
 * 4) * To configure the Web Proxy service log, click Configure Web Proxy Logging.
 * 5) * To configure the SMTP message screener service log, click Configure SMTP Message Screener Logging.
 * 6) On the Fields tab, use one of the following procedures:
 * 7) * To select specific fields, click to select the appropriate check boxes.
 * 8) * To clear all the check boxes in the field list, click Clear All.
 * 9) * To select all the check boxes in the field list, click Select All.
 * 10) * To select a default set of fields in the ISA Server log file, click Restore Defaults.

back to the top

Set up the ISA Server services to log messages to an MSDE database

 * 1) In the console tree of ISA Server Management, click Monitoring, and then click the Logging tab in the center pane.
 * 2) In the right pane, click the Tasks tab, and then click the appropriate task:
 * 3) * To log the Firewall service data to an MSDE database, click Configure Firewall Logging.
 * 4) * To log the Web Proxy service data to an MSDE database, click Configure Web Proxy Logging.
 * 5) On the Log tab, click MSDE Database.
 * 6) This step is optional. Click Options to confirm the following parameters:
 * 7) * Store the log files in
 * 8) * Log file storage limits
 * 9) * Maintain log storage limits by

back to the top

Set up the ISA Server services to log messages to an SQL database

 * 1) In the console tree of ISA Server Management, click Monitoring, and then click the Logging tab in the center pane.
 * 2) In the right pane, click the Tasks tab, and then click the appropriate task:
 * 3) * To log the Firewall service data to an SQL database, click Configure Firewall Logging.
 * 4) * To log the Web Proxy service data to an SQL database, click Configure Web Proxy Logging.
 * 5) On the Log tab, click SQL Database.
 * 6) Confirm or modify the following parameters:
 * 7) * ODBC data source (DSN)
 * 8) * Table name
 * 9) * Use this account
 * 10) This step is optional. If you have to change the user account, click Set Account, type both the user name and the password, and then confirm the password.

Note You must enable the Allow remote Logging using NetBios transport to trusted servers system policy rule to log to an SQL database.

back to the top

Set up a computer that is running SQL Server for ISA Server logging
<ol> Set up the computer that is running Microsoft SQL Server to include a database file for each ISA Server service: <ol style="list-style-type: lower-alpha;"> On the computer that is running SQL Server, start Enterprise Manager.</li> Connect to the server that you want to host the database files.</li> On the Tools menu, click SQL Query Analyzer.</li> On the File menu, click Open, and then locate the following folder on the ISA Server 2004 CD:



</li> Open one of the following files: <ul> To log the Firewall service data to an SQL database, open the Fwsrv.sql file.</li> To log the Web Proxy service data to an SQL database, open the W3proxy.sql file.</li></ul> </li> <li> Add the following lines to the top of each script: Go Use, click Security, and then right-click Logins.</li> <li>Click New Login.</li> <li>If you are located in the same domain as the ISA Server computer, click Windows Authentication, and then follow these steps: <ol> <li>In the Name box, type \ $ .</li> <li>On the Database Access tab, click to select the databases that this logon method can access. That is, click to select the databases that you created earlier.</li></ol> </li> <li>If you are located in a domain that is different from the domain of the ISA Server computer, you must use SQL Server Authentication. To do this, follow these steps: <ol> <li>This step is optional. In the Name box, type a specific name that describes the logon method.</li> <li>Type a password for this logon method.</li> <li>On the Database Access tab, click the databases that this logon method can access. That is, click the databases that you created earlier.</li></ol> </li> <li>Click Change the default database, and then click the database that ISA Server will log data to.</li> <li>Stop and then restart the SQL Server service.</li></ol> </li> <li>Set up the ODBC data source on the ISA Server computer: <ol style="list-style-type: lower-alpha;"> <li>Under Administrative Tools, click Data Sources (ODBC).</li> <li>On the System DSN tab, click Add.</li> <li>Click SQL Server, and then click Finish.</li> <li>In the Create a New Data Source to SQL Server dialog box, type a name for the data source in the Name box. Use the same name that you used for the database file.</li> <li>Type the name of the server that is running SQL Server, and then click Next.</li> <li>There are two options for database authentication. These options correspond to the account that you set up in step 2: <ul> <li>To use the ISA Server computer account for authentication, click With Windows NT authentication, and then type your domain credentials.

Note You can use this option only in a Windows 2000 domain.</li> <li>To use a SQL Server account for authentication, click With SQL Server authentication, and then use the credential that was established for the SQL Server account user.</li></ul> </li> <li>Follow the instructions that appear on the screen.</li></ol> </li></ol>

back to the top

Configure log storage limits

 * 1) In the console tree of ISA Server Management, click Monitoring, and then click the Logging tab in the center pane.
 * 2) In the right pane, click the Tasks tab, and then click the appropriate task:
 * 3) * To configure the Firewall log limits, click Configure Firewall Logging.
 * 4) * To configure the Web Proxy log limits, click Configure Web Proxy Logging.
 * 5) On the Log tab, click either File or MSDE Database to select the log storage format.
 * 6) Click Options.
 * 7) To limit the size of the logs, click Limit total log files size. In the text box, type the maximum log size that you want to use.
 * 8) To maintain a specified amount of free disk space on the disk where the logs are stored, click Maintain free disk space. In the text box, type the amount of free disk space that you want to maintain.
 * 9) If you clicked either Limit total log files size or Maintain free disk space, click one of the following:
 * 10) * To delete the oldest log files when you exceed the limits that you specified, click Deleting older log files as necessary.
 * 11) * To delete log files after a specified number of days, click Delete files older than (days). In the text box, type the number of days that you want to keep log information.

Configure logging to a file

 * 1) In the console tree of ISA Server Management, click Monitoring, and then click the Logging tab in the center pane.
 * 2) In the right pane, click the Tasks tab, and then click the appropriate task:
 * 3) * To log the Firewall service data to a file, click Configure Firewall Logging.
 * 4) * To log the Web Proxy service data to a file, click Configure Web Proxy Logging.
 * 5) * To log the SMTP message screener service to a file, click Configure SMTP Message Screener Logging.
 * 6) On the Log tab, click File.
 * 7) This step is optional. Click Options to confirm or to modify the following parameters:
 * 8) * Store the log files in
 * 9) * Log file storage limits
 * 10) * Maintain log storage limits by
 * 11) * Delete log files older than
 * 12) * Compress log files

Filter the log viewer data
<ol> <li>In the console tree of ISA Server Management, click Monitoring, and then click the Logging tab in the center pane.</li> <li>In the right pane, click the Tasks tab, and then click Edit Filter.</li> <li>Add conditions to the filter: <ol style="list-style-type: lower-alpha;"> <li>Under Filter by, click one of the log fields.</li> <li>Under Condition and Value, specify the appropriate condition, and then click Add to List.</li></ol> </li> <li>Repeat step 4 to add more conditions to the filter, and then click Start Query.</li></ol>

Save a log filter definition

 * 1) In the console tree of ISA Server Management, click Monitoring, and then click the Logging tab in the center pane.
 * 2) In the right pane, click the Tasks tab, and then click Save Filter Definitions.
 * 3) In File Name, specify the file name of the .xml file that has the filter definition, and then click Save.

back to the top

Load a log filter definition

 * 1) In the console tree of ISA Server Management, click Monitoring, and then click the Logging tab in the center pane.
 * 2) In the right pane, click the Tasks tab, and then click Load Filter Definitions.
 * 3) In File Name, specify the file name of the .xml file that has the filter definition, and then click Load.

back to the top

Save log viewer data

 * 1) In the console tree of ISA Server Management, click Monitoring, and then click the Logging tab in the center pane.
 * 2) On the Tasks tab, click one of the following:
 * 3) * To copy the selected data that is displayed in the log viewer, click Copy Selected Results to Clipboard.
 * 4) * To copy all the data from the log viewer, click Copy All Results to Clipboard.

Note After you copy the data to the clipboard, you can paste the text into an appropriate application for analysis.

back to the top

<div class="references_section">