Querying the logs

  • Article

You can use the Microsoft Forefront Threat Management Gateway log viewer to monitor and analyze traffic, and to troubleshoot network activity. By default, the log viewer displays all log records for the Web Proxy log and Firewall log in real time as they occur, with each event displayed in the log viewer as soon as it is logged. To display records with the default filter, click the Logging tab. On the Tasks tab, select Start Query.

You can modify the default filter conditions to display data that meets specific criteria in the log viewer. The viewer displays log data only if it matches all the expressions included in the filter. The filter expressions are combined by using the logical AND operator. For example, you may want all log entries that are currently being logged for a specific IP address. To do this, you would edit the logging filter as follows:

  • Set Client IP to the relevant IP address.
  • Set Log Time to Live.

When you filter the log, you can select to view the Web Proxy log, the Firewall log, or both.

You can filter data by Log Time in all log formats. For Text logs, you can specify only the Log Time with the Live value. This is known as online viewing, which displays real-time log data. SQL Server Express logging and SQL logging makes it possible to specify the Log Time with other values. This way, you can display log data that was logged during a specific time period, rather than just live data. This is known as offline viewing. When offline data is displayed, the log viewer actually queries the database.

When you create a filter, you specify a criterion, a condition, and a value. You select a field on which to filter the log, and then select a condition from one of the conditions available for the field. Then select a value. For some fields, predefined values may be available, or you can type a value. Some fields and conditions do not have values associated with them.

You cannot remove the entries in the default filter, but you can select the fields that appear in the default query and make changes to the values.

For a list of criteria on which you can filter the logs, see Log query parameters.

Note the following when filtering log views:

  • Up to 10,000 results are displayed in the log viewer.
  • Forefront TMG logs each request in the authentication process for a Web Proxy client. The destination IP address and port number are not logged for denied requests.
  • Some log information, including IP data, Raw IP header, and Interface, is displayed only for stateless traffic that is not allowed for reasons other than a policy rule or application filter. For example, if traffic is dropped because it is considered spoofed, the information is displayed.
  • If no rule specifically allows the outgoing or incoming request, the rule name is logged as Default Rule. This indicates the following:
  • The connection was denied, but the denial was not due to access policy. For example:
  • No network relationship is defined between the source and destination networks.
  • Intrusion detection dropped the traffic as spoofed.
  • The request is from a client that exceeded the maximum connection limits.
  • The connection was allowed implicitly, without a specific system policy rule or access rule to allow it. This can happen in a number of scenarios. For example, an application filter running on Forefront TMG may update its files from the Web, and open a connection to a Web server without a specific policy rule that allows the connection. In this case, the rule name field in the log will be empty, and not populated with "Default Rule"..

After you define a filter and run a query with it, you can save it as an .xml file for future use. It is often useful to have a set of queries, with each query used to focus on a different session type. You can then import saved filter query definitions as required.