Configuring logging

  • Article

Configuring a logging mechanism consists of the following steps:

  • Select a logging mechanism. You can select to log to a file, a local SQL Server Express database, or a remote SQL Server. For more information, see Logging formats.
  • Specify a log location. By default logs are stored in the ISALogs folder of the Forefront TMG installation folder. For information about the folder permissions required if you select an alternative log folder, see Configuring the log location. If a specified folder location does not exist, Forefront TMG attempts to create it. If the folder cannot be created or permissions are incorrect, the Firewall service will not start.
  • Specify log storage limits for text log files and SQL Server Express database files. Ensure that you allocate sufficient disk space to accommodate logs for at least a day or two. If you configure space for less than a day, reports will be based on that portion of the day only. Each log component (Firewall and Web proxy) is maintained separately. So if you configure a size of 8 GB for each component, the maximum size of the combined log is 16 GB. Forefront TMG checks every thirty seconds that log limits are not exceeded. We recommend that you allocate sufficient disk space to enable logging to continue during peak usage. If logging fails, the Firewall service stops. For more information, see Configuring logging to avoid lockdown.
  • Configure a maintenance policy for text log files and SQL Server Express database files. You can specify how older log files are maintained and deleted. For remote SQL Server logging, the SQL Server administrator should develop an appropriate maintenance plan.
  • For log files located on an NTFS volume, you can enable compression.

Configuring logging to a text file

  1. In the Forefront TMG console tree, click Monitoring.
  2. In the details pane, click the Logging tab.
  3. On the Tasks tab, select the appropriate task:
    • Configure Firewall Logging. To specify that the Firewall log should be written to a text file.
    • Configure Web Proxy Logging. To specify that the Web Proxy log should be written to a text file.
  4. On the Log tab, click File.
  5. In Format, select the file format. By default the W3C extended log file format is used. Alternatively, you can select Forefront TMG file format. W3C logs contain both data and directives describing the version, date, and logged field. Fields that are not selected for the log do not appear in the log. The tab character is used as a delimiter. Date and time are in Coordinated Universal Time (UTC). The Forefront TMG file format contains only data with no directives. All fields are always logged. Fields that are not selected are logged with a dash (-), to indicate that they are empty. The comma character is used as a delimiter. The date and time fields are in the format of the local time setting configured on the server.
  6. Click Options to configure storage settings.
  7. Select ISALogs to store logs in the default location. To store files in an alternative location, click This folder, and specify the path.
  8. Configure the log size as follows:
    • Select Limit total size of log files and specify a maximum size. Each log file is limited to 1.5 GB. When a log file reaches 1.5 GB, a new file is automatically created.
    • Select Maintain free disk space and specify the free space.
  9. Configure how logs are managed as follows:
    • Select Deleting older log files as necessary to specify that the oldest log files are deleted automatically in accordance with the specified size limits.
    • Select Discarding new log entries to stop logging new entries (while keeping all the old log information) in accordance with the specified size limits. New entries are not logged until you change limits or delete old files. An alert is issued to notify you of this event.
    • Select Delete files older than to delete log files older than the specified days. To delete old files from storage, decrease this number.
  10. Select Compress log files to reduce log file size. Compression is only applied to log files stored on NTFS volumes.

Configuring logging to a local SQL Server Express 2005 database

  1. In the Forefront TMG console tree, click Monitoring.
  2. In the details pane, click the Logging tab.
  3. On the Tasks tab, select the appropriate task:
    • Configure Firewall Logging. To specify that the Firewall log should be written to a local SQL Server Express database.
    • Configure Web Proxy Logging. To specify that the Web Proxy log should be written to a local SQL Server Express database.
  4. On the Log tab, click SQL Server Express 2005 Database (on local server). Then click Options.
  5. Select ISALogs to store logs in the default location. To store files in an alternative location, click This folder, and specify the path.
  6. Configure the log size as follows:
    • Select Limit total size of log files and specify a maximum size. Each log file is limited to 1.5 GB. When a log file reaches 1.5 GB, a new file is automatically created.
    • Select Maintain free disk space and specify the free space.
  7. Configure how logs are managed as follows:
    • Select Deleting older log files as necessary to specify that the oldest log files are deleted automatically in accordance with the specified size limits.
    • Select Discarding new log entries to stop logging new entries (while keeping all the old log information) in accordance with the specified size limits. New entries are not logged until you change limits or delete old files. An alert is issued to notify you of this event.
    • Select Delete files older than to delete log files older than the specified days. To delete old files from storage, decrease this number.
  8. Select Compress log files to reduce log file size. Compression is only applied to log files stored on NTFS volumes.

Configuring logging to a remote SQL server

  1. In the Forefront TMG console tree, click Monitoring.
  2. In the details pane, click the Logging tab.
  3. On the Tasks tab, select the appropriate task:
    • Configure Firewall Logging. To specify that the Firewall log should be written to a remote SQL Server database.
    • Configure Web Proxy Logging. To specify that the Web Proxy log should be written to a remote SQL Server database.
  4. On the Log tab, click SQL Database. Then click Options.
  5. In Database Connection Parameters, specify the SQL Server database details:
    • In Server, type the name of the computer running SQL Server to which the information will be logged.
    • In Port, type the port number to use. The default port of the computer running SQL Server is 1433.
    • In Database, type the name of the database on the computer running SQL Server.
    • In Table, specify a table name. Forefront TMG provides two SQL scripts used to create the tables for recording the log data. For more information, see Setting up SQL Server for logging.
    • Click Force data encryption to specify that a secure connection should be used between Forefront TMG and the SQL Server computer. This setting is enabled by default to help secure log file information. To use this setting, you must have a server certificate configured on the SQL Server computer and a root certificate for the CA that issued the server certificate on the Forefront TMG server. For more information, see Encrypting connections to SQL Server, at Microsoft TechNet.
  6. In Authentication Details, select an option for database authentication:
    • Select Use Windows authentication to authenticate to the SQL Server using the computer account.
    • Select Use SQL server authentication to authenticate against SQL Server using a SQL Server account. In User and Password, type the credentials to be used. Ensure that the account has permissions to authenticate to the SQL Server computer.
  7. Click Test to verify connectivity to the SQL Server computer.

For more information about setting up system policy rules and SQL Server, see Setting up SQL Server for logging.