Comparing the Web Proxy log with the Firewall Service log will help you understand Web Proxy service and Firewall service activity. Figure 2, page 9, shows the information each log contains for the same set of transactions. Notice that where the Web Proxy log lists anonymous connections that the Web Proxy service allowed, the Firewall log captured the username. To include Web Proxy users in the log, you must use the ISA Management snap-in to enable Web Proxy authentication. To do so, right-click the array name and select Properties. Click the Outgoing Web Requests tab and select the Ask unauthenticated users for identification check box. If ISA Server can't obtain authentication automatically, the server will prompt the user for credentials. The Firewall client logs user authentication information automatically. However, because you can install the Firewall client software only on Win32 client computers, only Win32 platforms support it.
The Packet Filter log differs from the Firewall Service log in that the former shows traffic at the packet rather than the application level. The Packet Filter log shows date and time, source and destination addresses, the packet's port, whether the packet was blocked or allowed, TCP flags, and, optionally, the packet's actual payload (main content). The payload is represented in hexadecimal format, so know your IP packet architecture and hex translation. This log is useful for troubleshooting why packets are dropped when they hit your firewall. By default, ISA Server doesn't log packets that are allowed across the firewall. To log the allowed packets, open the ISA Management snap-in, expand the Access Policy node, right-click IP Packet Filters, then select Properties. In the IP Packet Filters Properties dialog box, click the Packet Filters tab and select the Log packets from 'Allow' filters check box. ISA Server supports logging to either a text file or an ODBC-compliant database.
Logging to a Text File
As I mentioned previously, ISA Server file logging supports both W3C extended file format and a proprietary format. You can specify whether to create a new file daily, weekly, monthly, or yearly. Your log files can grow extremely large depending on the frequency of your logging as well as which fields you select to log. ISA Server supports log-file compression, and you can specify the maximum number of log files before replacing old logs that fall outside the setting with new logs. (In this case, the oldest log file is deleted when the new log file is created.) To enable compression, select the Compress log files check box in the Options dialog box of the log file's Properties dialog box. Enabling log-file compression in ISA Server simply turns on native NTFS file compression for the individual log files (the log files must be on an NTFS partition), and you don't need to indicate this choice separately in NTFS; it's made for you automatically. Log-file compression is enabled by default, regardless of the log-file folder's compression state. Table 1 shows the naming convention used for these logs and highlights differences between logging formats.
By default, the text log files reside in the \%programfiles%\microsoft isa server\isalogs folder. However, you can specify an alternate folder location. If you specify a relative path, each server will log to its own ISA Server installation directory or an alternate location, such as \%systemdrive%\. If you specify an absolute path, the logs will be stored at that location.
Logging to an ODBC Database
Writing ISA Server logs to an ODBC database is a handy method for accessing the data from custom reporting engines built with Active Server Pages (ASP) applications, ADO, or similar technologies. Microsoft includes three data files—fwsrv.sql, pf.sql, and w3 proxy.sql—to create the correct tables and fields. These files reside in the installation directory (by default, \%programfiles%\microsoft isa server) or in the ISA directory on the ISA Server installation CD-ROM. Note that you must create a database to hold the tables before you run these scripts.
Follow these steps to enable ODBC logging with ISA Server (the steps refer to SQL Server 2000). Because the steps are quite basic, I recommend making adjustments as necessary to suit your company's SQL architecture or database security requirements. You might have to make minor changes to support other databases such as Access.
- Create a database to store your ISA Server logs. To do so, from Enterprise Manager, connect to your SQL Server and expand both the SQL Server Group and the name of the server on which you're creating the new database. Right-click Databases and select New Database. Name the database and select the location of the Data Files and Transaction Log. Click OK to create the new database. For this example, I name the database ISA and leave the defaults for the remaining settings.
- Next, run SQL Query Analyzer and change to Step 1's newly created ISA database. Open and execute each of the three .sql scripts to create the tables, fields, and indexes necessary to store the ISA Server logging data.
- Create a System Data Source Name (DSN) to connect ISA Server to the database. On Windows 2000 Server, go to the Start, Programs, Administrative Tools, Data Sources (ODBC) option and create a new System DSN. A sample DSN follows:
- Type of DSN: System DSN
- Driver: SQL Server
- Name: ISA
- Description: ISA Server
- Server: [enter the network name of your ISA Server]
- Authentication: Choose your authentication type. If you use SQL Authentication, enter the Login ID and Password for the SQL account that you'll use to access the database. If you have no other SQL users configured, you can use your sa account and password at this point and create a discrete user account after you verify that the logging works correctly.
- Select the Change the default database to check box, then select the name of the database you created for ISA in Step 1.
- For basic testing, you can accept the remaining defaults by clicking Next through the remaining dialog boxes. In the last dialog box, click Test Data Source to verify that the database connection is working.
- In the ISA Management snap-in, expand the Monitoring Configuration node, then click the Logs folder. Access Properties for the first service you want to configure.
- Select the Database option; enter the OBDC data source (DSN name) and the database table name for the service you're configuring. The .sql files you executed in Step 2 created the following table names for the services: PacketFilterLog, FirewallLog, and Web ProxyLog. Finally, specify the user account required to access the database through the ODBC connection. For SQL Authentication, this is the user specified in Step 3 in the DSN.
- Repeat Steps 4 and 5 for each service displayed in the details pane that you want to redirect to SQL Server.
Prev. page
1
[2]
3
next page 
