Configuring Forefront TMG logs
This section provides information about configuring and maintaining logs, and running log queries.
- Microsoft Forefront Threat Management Gateway provides a number of logging formats, including logging to a text file, a local SQL Server Express database, and a remote SQL Server computer. For information about selecting a logging mechanism, and configuring a log location and maintenance policy, see Configuring logging.
- Because Forefront TMG is deployed to help secure your network, it is critical that logging information is always available and accurate. You should carefully monitor alerts and verify that their activity is always being logged. Check for alerts that indicate failure to log for a variety of reasons, including disk space, SQL Server connectivity issues, and others. For more information, see Configuring logging to avoid lockdown. Forefront TMG provides a log queue feature to help ensure log availability during peak logging. For more information, see Configuring the log queue.
- You can configure and run log queries to monitor and analyze traffic. For instructions, see Querying the Forefront TMG logs.
The following table summarizes default log settings following installation:
Setting | Details | Defaults |
---|---|---|
Firewall log |
Logs traffic handled by the Firewall service |
Enabled by default to log to SQL 2005 Express database on the local computer. |
Web proxy log |
Logs traffic handled by the Web proxy filter |
Enabled by default to log to SQL 2005 Express database on the local computer. |
Log folder |
Location of log files |
By default in the ISALogs folder of the Forefront TMG installation directory |
Log limits |
Management of log file size |
Default settings: Total size limit=8GB Free disk size to maintain=512MB Maintenance method: Delete files as necessary Delete files older than=7 days |
Log queue |
The log queue is used to temporarily store log entries when they cannot be formatted. This may occur when log entries are generated faster than they can be formatted, or there is no connectivity to a remote SQL Server database. |
By default the log queue is stored in the ISALogs folder of the Forefront TMG installation folder. |
Alerts |
The alerts service notifies you when specific events occur. |
All log-related alerts are enabled by default |