ISA Server Alerts, Reports, and Logs FAQ

  • Article
 

This frequently asked questions (FAQ) document provides answers to questions commonly asked about Microsoft® Internet Security and Acceleration (ISA) Server monitoring functions—alerts, logs, and reports.

On This Page
Alerts Alerts
Reports Reports
Logs Logs

Alerts

Q. What settings can I specify for ISA Server alerts?

A.

You can select what events and conditions trigger an alert, from a predefined list of events and conditions. In an array configuration, you can limit this setting to a particular server in an array.
You can set alert thresholds, including:

  • How many times per second an event should occur before an alert is issued (event frequency threshold).
  • How many events should occur before the alert is issued.
  • How long to wait before issuing the alert again.

You can specify actions to be taken when an alert occurs, including:

  • Send an e-mail message.
  • Run an application, script, or batch file. You can specify that the application should run under the local system account, or under a specified user account with a password. In an array environment, the path specified for the application, script, or batch file must exist on all servers in the array.
  • Log the event in the event log viewer
  • Stop or start any ISA Server service, including the Firewall service, the Web Proxy service, and the Scheduled Content download service.
  • Configure credentials that should be used when action is taken, including executing an application. The specified user account requires Logon as batch job privileges.

Q. How do I know which ISA Server events can trigger an alert?

A. ISA Server provides a number of predefined alerts, or you can create your own. When you run the New Alert Wizard, you will see a list of events you can choose from for creating an alert. To read more about alerts and events that can trigger them, see Configuring alerts in the ISA Server product documentation.

Q. How can I configure an e-mail message to be sent to the ISA Server administrator when an alert is triggered?

A.
  1. In ISA Management, click the name of your ISA Server computer. Click to expand Monitoring Configuration, right-click Alerts, point to New, and then click Alert.
  2. In the New Alert Wizard, type a name for the alert, and then click Next.
    3. In Events and Conditions, in Events, select the event that will trigger the alert. If the event you have chosen has an additional condition to refine the event, select it in Additional condition. Then click Next.
  3. In Actions, select Send an e-mail message, and any other actions you require, and then click Next.
  4. In Sending e-mail messages, do the following:
    • In SMTP server, type (or browse for) an SMTP server from which e-mail messages will be sent. Note that if you select an external SMTP server outside your network, you will need a packet filter to allow the SMTP protocol through ISA Server.
    • In From, type the e-mail address from which the mail should be sent.
    • In To, type the e-mail address of the person who should be contacted when the alert is triggered.
    • In Cc, type the e-mail address of the person to whom a copy of the message should be sent. You can also send a copy to your cellular phone by specifying an SMS gateway address. Then click Next.
  5. If you have specified other actions, such as running an application or a batch file, specify the program and the user account that should be used to run it. Remember that the specified user must have Logon as batch job permissions. Then click Next.
  6. If you have enabled specific services to stop when the alert is triggered, in Stopping Services, select the services to stop. Then click Next.
  7. If you have enabled specific services to start when the alert is triggered, in Starting Services, select the services to start. Then click Next.
  8. Click Finish to complete the wizard.



Reports

Q. Why can’t I view reports for the current day?

A. ISA Server creates reports from log summaries. By default, the daily summary log process runs at 12:30 A.M., regardless of whether you have scheduled reports. Reports are then created from those logs. So, even if you request a report immediately, the current day’s data will not appear until 12:30 A.M. the next day.

Q. My reports are displaying only IP addresses, instead of user names. How can I configure them to display user names?

A. The way in which reports record information depends on how you created the rule sets that make up the report. For example, if you enable a Web proxy rule and allow access using a client set, ISA Server will record IP address information in the reports.

Q. Logs are working, but my reports are not running. What can I do?

A. After you have enabled logging, you must enable the report mechanism, and then enable daily and monthly report gathering. After these settings are enabled, you can create a scheduled report job and view reports. For instructions, see Microsoft Knowledge Base article 302538.

Q. Why do “unknown” protocols appear in my reports?

A. Any protocol that is not one of the ISA Server predefined protocols appears as unknown in ISA Server reports. For more information about ISA Server’s predefined protocol definitions, see Configuring protocol definitions in the ISA Server product documentation.

Q. My reports are appearing in Coordinated Universal Time (Greenwich Mean Time), but I want them to appear in the time zone configured for the ISA Server settings. How can I do this?

A. Set your logs to use ISA Format instead of W3C Format. For more information, see Logging to a file in the ISA Server product documentation.

Q. I want a report for a published IIS server behind my ISA Server computer. But in the logs, only the internal IP address of the ISA Server computer appears. How can I see the IP address of the client who made the Web request?

A. This occurs when you use Web publishing. The source IP address in the host header is changed to the IP address of the ISA Server internal interface, when a request is forwarded to the published server by the Web Proxy service. Thus, you cannot log the requesting host’s IP address. To log the requesting host’s original IP address, use server publishing.

Q. How can I see report information for an individual user?

A. The reports generated by ISA Server are summary usage reports. The ISA Server Firewall service and Web Proxy service logs contain detailed usage statistics, and you may be able to generate detailed reporting by exporting this log information. There are also third-party ISA Server add-ons available that will generate detailed reports, including individual user information.

Q. When configuring my ISA Server Report jobs, I selected “Generate once a month” to schedule my Report jobs once a month. However, reports are not generated for every month. Why is this?

A. When selecting “Generate once a month,” you may have selected the 31st as the date. Reports are only generated after the previous day and not all months have a 31st. Changing the date to the 1st will generate a report for every month, and the report will be generated the day after the month completes. br/>

Logs

Q. How do I enable user names to appear instead of anonymous in logs?S?

A.

To log traffic for outgoing requests, you must configure your ISA Server to require authentication, and then give users some means to authenticate, or ISA Server will block them. For Firewall clients, the credentials are passed to the ISA Server computer, and the user information is authenticated. For Web Proxy clients, you must enable outbound authentication to require a password for HTTP or HTTPS. To do this:

  1. In ISA Management, under Servers and Array, right-click the name of the ISA Server or array, and then select Properties.
  2. On the Outgoing Web Requests, in Connections, select Ask unauthenticated users for identification.
  3. Stop and restart the Web Proxy service when prompted.
  4. User names will then be listed in the report with their domain details. SecureNAT clients cannot authenticate, but you can create client address sets and apply rules to them to control their Internet access.



Q. I require authentication for outgoing access, so why are anonymous entries appearing in my log?

A. Before a user is authenticated, the browser attempts two anonymous connections for each resource. ISA Server responds with a “407 - proxy authentication required” message. Then, a third connection request is made with authentication. This entire process is logged by ISA Server, including the anonymous connection requests.

Q. How can I configure logging in ISA Server?

A.

You can configure logging for the following ISA Server components:

  • Packet filters
  • Firewall service
  • Web Proxy service

You can specify the following types of logging:

  • Logging to a file: When logging to a file, you can choose to compress the log files, and specify a maximum number of log files for a stand-alone ISA Server or an array.
  • Logging to a database: You can log to any ODBC-compliant database.
  • You can configure logging as follows:
  • Configure logging for a specific service
  • Select specific fields for logging
  • Select to log packets from allow packet filters, deny packet filters, or both

For instructions on configuring logging, see Microsoft Knowledge Base article 302372.

Q. Extensive CPU resources and large amounts of disk space are being used, and an ISA Server process called Dailysum.exe seems to be consuming large amounts of memory. I can also see large files in the ISALogs folder. When I try and stop this process, an “Access denied” error message appears. What can I do?

A. Dailysum.exe is an ISA Server reports component that runs at midnight every day, by default, even if no reports are specified. If ISA Server log files are corrupted, it might continue running. To resolve this issue, see Microsoft Knowledge Base article 305712.

Q. When configuring logging, I have two format options available when saving the log as a file—W3C extended log file format and ISA Server file format. What’s the difference?

A. The W3C extended log file format is compatible with reporting applications that recognize the World Wide Web Consortium (W3C) format. The W3C format contains data and information that describes the version, date, and logged fields. ISA Server does not log the unselected fields. This format uses that tab character as a delimiter, and the date and time fields are in Coordinated Universal Time (Greenwich Mean Time). Use the ISA Server file format when you use a reporting application that can interpret ISA Server logs. The ISA Server format contains only data with no information about the data format. ISA Server always logs all of the fields. ISA Server logs the unselected fields as dashes to indicate that they are empty. This format uses the comma character as a delimiter, and the date and time fields are in the local time.

Top of page Top of page