Logging formats

Article
09/26/2008

Logging formats

Log information can be stored in one of the following formats:

A local SQL Server Express 2005 database.
A remote SQL database
Text file

The following table compares the logging formats, which are detailed in the following sections.

Format	Features
File	Sequential logging to a text file has the following features: Provides the best performance of all logging methods. Logging is local, with no network bandwidth consumption. Log size is limited to 2 gigabytes (GB). Log maintenance feature enforces log size and cleans out log, as appropriate. Log failure stops the Firewall service. For more information, see Configuring logging to avoid lockdown. You can filter and view logs in real time (online). Filtering and viewing of historical data (offline) is not supported. File logging performs approximately two disk accesses for 10 megabits.
SQL Server Express 2005	Logging to a local SQL Server Express 2005 database provides the following features: Provides good performance. Logging is local, with no network bandwidth consumption. Log size is limited to 1.5 GB Log maintenance feature enforces log size and cleans out log, as appropriate. Log failure stops the Firewall service. For more information, see Configuring logging to avoid lockdown. Runs on the Forefront TMG computer. A SQL Server Express 2005 instance can only be accessed locally. You can filter and view logs in real time (online) or for historical data (offline). Consumes more disk resources than text file logging. SQL Server Express logging performs approximately two disk accesses for every megabit.
SQL	Logging to a remote SQL database provides the following features: Because logging is to a remote server, sufficient network bandwidth is required, preferably 1 GB connectivity between Forefront TMG and computers running SQL Server to accommodate the capacity of the log traffic. Network connections must utilize Internet Protocol security (IPsec) to secure the log records sent to the remote SQL database. With sufficient hardware, performance will be better than SQL Server Express logging. No limit to log size. This is configured by the user, based on retention and maintenance policy. The database administrator is responsible for log maintenance. Log failure stops the Firewall service. For more information, see Configuring logging to avoid lockdown. Account used for logging must have permissions on the computer running SQL Server. Data is encrypted on the connection to the computer running SQL Server. SQL Server and Forefront TMG are mutually authenticated. You can filter and view logs in real time (online) or for historical data (offline). Logging performance depends on: Number of Forefront TMG computers logging. SQL Server settings. Bandwidth allocation. On the Forefront TMG firewall, SQL logging consumes CPU resources somewhere between those used by SQL Server Express and file logging, and it uses almost no disk input/output (I/O).

File

Sequential logging to a text file has the following features:

Provides the best performance of all logging methods.
Logging is local, with no network bandwidth consumption.
Log size is limited to 2 gigabytes (GB).
Log maintenance feature enforces log size and cleans out log, as appropriate.
Log failure stops the Firewall service. For more information, see Configuring logging to avoid lockdown.
You can filter and view logs in real time (online). Filtering and viewing of historical data (offline) is not supported.
File logging performs approximately two disk accesses for 10 megabits.

SQL Server Express 2005

Logging to a local SQL Server Express 2005 database provides the following features:

Provides good performance.
Logging is local, with no network bandwidth consumption.
Log size is limited to 1.5 GB
Log maintenance feature enforces log size and cleans out log, as appropriate.
Log failure stops the Firewall service. For more information, see Configuring logging to avoid lockdown.
Runs on the Forefront TMG computer.
A SQL Server Express 2005 instance can only be accessed locally.
You can filter and view logs in real time (online) or for historical data (offline).
Consumes more disk resources than text file logging. SQL Server Express logging performs approximately two disk accesses for every megabit.

SQL

Logging to a remote SQL database provides the following features:

Because logging is to a remote server, sufficient network bandwidth is required, preferably 1 GB connectivity between Forefront TMG and computers running SQL Server to accommodate the capacity of the log traffic. Network connections must utilize Internet Protocol security (IPsec) to secure the log records sent to the remote SQL database.
With sufficient hardware, performance will be better than SQL Server Express logging.
No limit to log size. This is configured by the user, based on retention and maintenance policy.
The database administrator is responsible for log maintenance.
Log failure stops the Firewall service. For more information, see Configuring logging to avoid lockdown.
Account used for logging must have permissions on the computer running SQL Server.
Data is encrypted on the connection to the computer running SQL Server.
SQL Server and Forefront TMG are mutually authenticated.
You can filter and view logs in real time (online) or for historical data (offline).
Logging performance depends on:
- Number of Forefront TMG computers logging.
- SQL Server settings.
- Bandwidth allocation.
On the Forefront TMG firewall, SQL logging consumes CPU resources somewhere between those used by SQL Server Express and file logging, and it uses almost no disk input/output (I/O).

Logging formats

Logging formats

Additional resources