Configuring Forefront TMG logs

Updated: February 1, 2011

Applies To: Forefront Threat Management Gateway (TMG)

Forefront TMG provides a number of logging formats, including logging to a text file, a local SQL Server Express database, and a remote SQL Server computer. Because Forefront TMG is deployed to help secure your network, it is critical that logging information is always available and accurate. You should carefully monitor alerts and verify that their activity is always being logged. Forefront TMG provides a log queue feature to help ensure log availability during peak logging.

Check for alerts that indicate failure to log for a variety of reasons, including disk space, SQL Server connectivity issues, and others.

The following table summarizes the default log settings following installation:

Setting Details Defaults

Firewall log

Logs traffic handled by the Firewall service

Enabled by default to log into the SQL Express database on the local computer.

Web proxy log

Logs traffic handled by the Web proxy filter

Enabled by default to log into the SQL Express database on the local computer.

Log folder

Location of log files

By default in the ISALogs folder of the Forefront TMG installation directory

Log limits

Management of log file size

Default settings:

Total size limit=8GB

Free disk size to maintain=512MB

Maintenance method: Delete files as necessary

Delete files older than=7 days

Log queue

The log queue is used to temporarily store log entries when they cannot be formatted. This may occur when log entries are generated faster than they can be formatted, or there is no connectivity to a remote SQL Server database.

By default the log queue is stored in the ISALogs folder of the Forefront TMG installation folder.

Alerts

The alerts service notifies you when specific events occur.

All log-related alerts are enabled by default

The following topics provide information that can help you configure and maintain logs and run log queries:

Concepts

Monitoring Forefront TMG