Export (0) Print
Expand All

Filtering the diagnostic log

Published: November 15, 2009

Updated: February 1, 2011

Applies To: Forefront Threat Management Gateway (TMG)

When viewing diagnostic logging, you can filter logging events and search for specific information. You can filter for a specific request and query the results of traffic simulator output.

ImportantImportant:
To distinguish the current view of the diagnostic logging events, the top section of the logging results pane displays a status line that includes the following information:

Server

Context ID

Message Contains

A context ID is a random 8-digit hex number that represents an Forefront TMG operation, such as, a TCP or UDP connection, an HTTP session or request, or a virtual private network (VPN) client connection. When you run the traffic simulator and select to view the diagnostic logging, the context ID is displayed automatically in the diagnostic logging results pane. Contexts can be nested. For example, one HTTP session may contain several HTTP requests, one after the other. This is reflected in the context. For example, if there is one HTTP session (context=00000001) that has two HTTP requests on it (context=00000002, 00000003), the context is reflected in diagnostic logging as follows:

00000001(message relating to the connection)

00000001 00000002 (message relating to request 2)

(...)

00000001 00000002 (message relating to request 2)

00000001 00000003 (message relating to request 3)

(...)

00000001 00000003 (message relating to request 3)

If you need to identify a context ID manually, do the following:

The following procedures describe how to identify a context ID in the logs, and how to filter for diagnostic logging events.

  1. In the Forefront TMG Management console, click the Monitoring node.

  2. Click Start Query to start logging without filtering on specific criteria.

  3. To filter using specific criteria, click Edit Filter to specify that the query should run with specific parameters such as Rule or Destination IP. Then click Start Query to start logging based on filter criteria.

  4. In the Forefront TMG Management console, in the tree, click the Logs & Reports node.

  5. On the Logging tab, right-click one of the column headings for the log entries, and then click Add/Remove Columns.

  6. In the Available Columns list, select Filter Information, and then click Add.

  7. When Filter Information appears in the Displayed Columns list, click OK to close the Add/Remove Columns dialog box.

  8. In the Filter Information properties displayed for the rule, make a note of the Req ID property for the required rule. This is the context ID.

  1. In the Forefront TMG Management console, in the Troubleshooting node, click the Diagnostic Logging tab.

  2. To filter by message string, in the Message contains box, enter the message string that is contained in the message of the event log.

    noteNote:
    The query run on the message string is on the whole phrase, even if there are spaces between words. For example, if the string in Message contains is "Hello World", the query searches for the whole string "Hello World" and not "Hello" and "World".

  3. To filter by context, in the Context contains box, enter the context ID of the event log you are searching. The Context IDs that are generated from the traffic simulator have the prefix FFF.

    noteNote:
     You can filter by one or both options.

  4. Select the server for which you would like to view the events from which they originated.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft