Querying the Forefront TMG logs

  • Article

Updated: February 1, 2011

Applies To: Forefront Threat Management Gateway (TMG)

You can use the Forefront TMG log viewer to monitor and analyze traffic, and troubleshoot network activity. By default, the log viewer displays all log records for the Web Proxy log and Firewall log in real time as they occur, with each event displayed in the log viewer as soon as it is logged.

The following procedures describe how to run and manage log queries:

  • Configuring the query filter

  • Saving and loading log filter definitions

  • Saving log viewer data

  • Defining log viewer colors

  • Hiding IPv6 log viewer entries

Configuring the query filter

You can modify the default log filter conditions to display data that meets specific criteria. The log filter displays data that matches all of the filter conditions. Expressions are combined using the AND operator. You cannot remove the filter criteria in the default filter, but you can modify the condition and value for the filter criteria.

To configure the query filter

  1. In the Forefront TMG Management console, in the tree, click Logs & Reports.

  2. In the details pane, click the Logging tab.

  3. On the Tasks tab, click Edit Filter.

  4. In Filter by, select one of the log fields.

  5. In Condition and Value, specify the appropriate condition, and then click Add To List.

  6. Repeat stepsĀ 4 and 5 to add more conditions to the filter. Then, click Start Query.

  7. To remove an expression from the filter list, select the applicable expression in Show only entries that match these conditions, and then click Remove.

Saving and loading log filter definitions

After you define a log filter you can save it as an .xml file for future use. It is useful to have a set of queries, with each query used to focus on a different type of session. You can then import saved filter query definitions as required.

To save the filter

  1. In the Forefront TMG Management console, in the tree, click the Logs & Reports tab.

  2. In the details pane, click the Logging tab.

  3. On the Tasks tab, click Edit Filter.

  4. To save a filter definition, specify the filter parameters, and then click Save Filter. Then specify a name for the .xml file.

Note

You can also save a filter by clicking Save Filter Definitions in the Tasks tab.

To load the filter

  1. In the Forefront TMG Management console, in the tree, click the Logs & Reports tab.

  2. In the details pane, click the Logging tab.

  3. On the Tasks tab, click Edit Filter.

  4. Click Load Filter and select the .xml filter to load.

Note

You can also load a filter by clicking Load Filter Definitions in the Tasks tab.

Saving log viewer data

You can save the information displayed in the log viewer to a file by copying information to the Clipboard. You can select to copy all results, or selected results.

To copy log information to the Clipboard

  1. In the Forefront TMG Management console, in the tree, click Logs & Reports.

  2. In the details pane, click the Logging tab.

  3. On the Tasks tab, click Start Query. When required, click Stop Query.

  4. To copy all of the information to the Clipboard, click Copy All Results to Clipboard.

  5. To copy partial information, do the following:

    • To select adjacent log entries, click the first log entry, and then hold down the CTRL key and click additional items. Then click Copy Selected Results to Clipboard.

    • To select nonadjacent log entries, click the first log entry, and then hold down the CTRL key and click additional items. Then click Copy Selected Results to Clipboard.

  6. After copying the data to the Clipboard, you can copy the information into an appropriate application for analysis.

Defining log viewer colors

To help distinguish between rows in the log viewer results pane, you can use color coding for easier analysis of log viewer output. You can use a default color scheme or apply your own colors. Colors can be applied to predefined common log filter actions.

After you define the text colors, you can save the color scheme by exporting it to an .xml file. Use the following procedures to define colors, to export a color scheme, and to import a color scheme.

To define log viewer colors

  1. In the Forefront TMG Management console, in the tree, click Logs & Reports.

  2. In the details pane, click the Logging tab.

  3. On the Tasks tab, click Define Log Text Colors.

  4. In the Define Log Text Colors dialog box, click the Color button for the Action type you would like to change.

  5. In the Color dialog box, select a color, and then click Save.

  6. Click OK to apply the changes and close the Define Log Text Colors dialog box.

To export a color scheme

  1. In the Forefront TMG Management console, in the tree, click Logs & Reports.

  2. In the details pane, click the Logging tab.

  3. In the Define Log Text Colors dialog box, click the Export Color Scheme button.

  4. In the Export Color Definitions dialog box, select the folder and file name, and then click Save.

To import a color scheme

  1. In the Forefront TMG Management console, in the tree, click Logs & Reports.

  2. In the details pane, click the Logging tab.

  3. On the Tasks tab, click Define Log Text Colors.

  4. In the Define Log Text Colors dialog box, click the Import Color Scheme button.

  5. In the Import Color Definitions dialog box, select the folder and file name, and then click Load.

Hiding IPv6 log viewer entries

If you are using IPv4, you can hide IPv6 log entries to streamline log results. Note that, by default, Forefront TMG blocks all IPv6 traffic. For more information, see System requirements for Forefront TMG.

To hide IPv6 entries

  1. In the Forefront TMG Management console, in the tree, click Logs & Reports.

  2. In the details pane, click the Logging tab.

  3. On the Tasks tab, do the following:

    • To hide the entries, click Hide IPv6 log entries.

    • To show the entries, click Show IPv6 log entries.

Concepts

Configuring Forefront TMG logs