ISA Server 2004 FAQ: Monitoring and Logging

  • Article

This frequently asked questions (FAQ) document provides answers to questions commonly asked about monitoring, logging and reporting in of Microsoft® Internet Security and Acceleration (ISA) Server 2004.

Q

Why do I see 0.0.0.0 entries for destination hosts in my Web log?

A

Sometimes only a URL is available for the destination host, and in this case, the IP address appears as 0.0.0.0. This happens when a request has been denied and no DNS name resolution lookup was performed for it.

Q

Why do I see fields displayed in the Firewall and Web Proxy logs, even when I have not selected those fields to display in the log?

A

This is a known issue, and certain fields are displayed even though they are not selected in the logging configuration. In the Firewall logs, the following fields are logged:

  • Action
  • Server
  • Resultcode

In the Web Proxy logs, the following fields are logged:

  • Server Name
  • Transport
  • Bytes Received
  • Bytes Sent
  • Service
  • Authenticated Client
  • HTTP Status Code
  • Action

Q

In the log files I see a client user name marked with a question mark (?). What does this mean?

A

The question mark indicates that the client user name has not been authenticated. This happens when a request arrives from a Firewall client, but the firewall policy does not require authentication. The Firewall client always sends the user name, and therefore it is always logged.

Q

How can I manually delete log files in MSDE mode?

A

You can use an SQL query to detach the database from SQL, and delete the files from the disk, as follows:

  • DROP DATABASE <name>

Q

I have tried connecting to MSDE on the ISA Server 2004 computer with either a DSN or with Enterprise Manager from another computer. Why does this fail?

A

The MSDE instance used by ISA Server 2004 has network protocols disable, and you cannot connect to it remotely. You can only connect using Enterprise Manager when Enterprise Manager is installed on the ISA Server computer.

Q

My reports seem to be scheduled and running correctly, but have no data in them. What could be wrong?

A

Reports can be saved from Internet Explorer only on the computer running ISA Server Management. On any other computer, the report shows either empty data or empty frames with a message that the "Page cannot be displayed."

Q

What happens if I configure my ISA Server computer to log to SQL, and the database file becomes full?

A

A "log failure" alert is issued, and the service will stop.

Q

How can I see a report on the current day's activity, rather than from yesterday?

A

ISA Server reports are based on a daily summary task, which runs once a day by default at 00:30 (12:30 A.M.) and summarizes the data in the logs for fast report generation. Because the reports are not available before the daily summary runs, you can only view reports for the previous day.

Q

I have blocked anonymous access, but the logs show requests from anonymous users. Why?

A

The user sends an anonymous request. ISA Server responds with a 407 error and terminates the connection. An anonymous request is logged.

The user sends the same request with Keep-Alive and NTLM authentication user information. ISA Server responds again with a 407 error€”and with an authentication challenge. The connection is not terminated. Another anonymous request is logged.

The user sends the same request with the authentication response. Now the request is authenticated and served.

If anonymous log entries are followed by requests from an actual, authenticated user, the reason is probably this configuration. If not, check your configuration settings.

Q

User names are not showing up in the log file. What is wrong?

A

ISA Server does not always require that clients authenticate themselves. If not authenticated, they are granted anonymous access, and authentication information is not logged. You can require that users always authenticate themselves.

Q

The logs are overflowing. How can I reduce this?

A

When you create a rule, any requests that match the rule are logged by default. The Default Rule denies all traffic, and any requests not specifically allowed by the rule will be logged. This can fill your log quickly. Look at your log data. If you notice a large amount of data from a specific protocol or source, create a new rule for that type of traffic, and do not require logging.

Q

There seems to be more current users (according to the Firewall service performance counters) than sessions (in the Sessions view of ISA Server Management). Why?

A

ISA Server considers a session a unique combination of IP address and user name. A connection is considered a new session from a given IP address only if a unique user logs on. System Monitor, in contrast to ISA Server, counts all connections.

Q

Why does ISA Server not run an action defined for an alert?

A

Read the document entitled Troubleshooting Alert Action Failures, available from the Guides and Articles page on the ISA Server website.

Q

Every time I restart the Microsoft Firewall service a new Firewall Log and Web Proxy Log database is created. Why is this?

A

This is by design and does not affect logging or log viewing. These databases are empty and will eventually be deleted in accordance with database maintenance policy.

Q

Why is the link in my daily e-mail report broken? The report location is correct, but the link does not work.

A

This is a known limitation. To work around this issue and get the link working, publish the report to a path that does not contain spaces. The report name should not contain spaces either, because the folder name is determined by the report name.

Q

When do URLs appear in the logs?

A

URLs appear in the Web Proxy logs for all Web requests.

Q

In the daily report I see the IP address of websites visited, and not the resolved name. How can I ensure the name is displayed in the report?

A

Only clients that are configured as Web Proxy clients resolve sites through the ISA Server computer. Other clients handle name resolution themselves, and so the ISA Server computer only knows about the IP address. Ensure that the required clients are configured as Web Proxy clients.

Q

The Firewall service (Wspsrv.exe) process seems to be leaking memory slightly. What might cause this?

A

A handle leak may occur in the SQL Server process when the Firewall service connects and disconnects from an MSDE database. ISA Server creates and closes connections every time a new database is created. Each log database has three associated connections, and there are at least two databases per day (Firewall logs and Web Proxy logs). For more information about this leak, see Microsoft Knowledge Base article 37748.

Q

The Firewall service does not start and the following alert is issued: "The Microsoft Firewall was unable to connect to the MSDE database". What is wrong?

A

The database needs to be deleted manually. For more details, see the preceding item about deleting a database.

Q

What time format is used in ISA Server logs and reports?

A

The following time formats are used:

  • Text log files (ISA Server file format). Local time.
  • Test log files (W3C extended log file format). Coordinated Universal Time (UTC), also known as Greenwich Mean Time (GMT).
  • MSDE log files. Local time.
  • SQL (ODCB) logs. Coordinated Universal Time (UTC).

Reports are created in local time. Note that different time formats do not affect reporting accuracy.

Q

What is new in client session counters in ISA Server 2004?

A

ISA Server lists client sessions, including Firewall clients, SecureNAT, and Web Proxy clients. Unlike ISA Server 2000, ISA Server 2004 does not separate out session counters for all client types, and active sessions are accounted for by the Firewall service. With this configuration, note the following:

  • Web Proxy sessions have a corresponding SecureNAT session, one SecureNAT session for all Web Proxy sessions from a particular computer.
  • Firewall clients have a corresponding SecureNAT session. For a computer with Firewall Client installed, there will be a SecureNAT session, as well as a Firewall client session, for that computer.
  • If a computer has both Web Proxy and Firewall client sessions, there will only be one SecureNAT session for it, because it is defined per computer.

Q

Can logs be saved in an alternate location?

A

By default, ISA Server log files in a file format or MSDE 2000 format are saved in the ISALogs folder of the ISA Server installation folder. You can specify an alternative log file location, including an environment variable such as %logDirectory%. If the specified folder does not exist, ISA Server will warn you that the specified location is not valid and will try to create the folder. For any alternative logging folder, the Network Service must have read permissions from the root partition and any parent folder for the folder. On the logging folder itself, the following permissions are required:

  • Network Service: Full Control
  • System: Full Control
  • Administrators: Full Control

If you change the log folder location and do not set the correct permissions, the following error event may be issued in the Event Viewer:

  • Event ID 11002: Microsoft Firewall failed to start. The failure occurred during creation of logging module because the configuration property PropertyName is not valid.

[Topic Last Modified: 12/16/2008]