MCSE Training Kit 10070100227 ISA Server2000 [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

MCSE Training Kit 10070100227 ISA Server2000 [Electronic resources] - نسخه متنی

Thomas Lee

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

ارسال
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
توضیحات
افزودن یادداشت جدید








Lesson 2 Logging ISA Server Activity


ISA Server features detailed security and access logs that can be generated in standard data formats like World Wide Web Consortium (W3C) and Open Database Connectivity (ODBC). The three logs built into ISA Server, monitor activity of the Firewall service, the Web Proxy service, and packet filtering. New logs can be created daily, weekly, monthly, or yearly.

After this lesson, you will be able to


Locate and view ISA Server logs for the Firewall service, for the Web Proxy service, and for packet filtering

Modify ISA Server logging properties such as log location, log fields, and log file compression.

Configure ISA Server to use an ODBC data source for logging.


Estimated lesson time: 75 minutes

Managing ISA Server Logs

ISA Server logs packet filtering activity, Firewall service activity, and Web Proxy service activity. By default, one new log file is generated for each service per day. Each new log file is stored in the ISALogs folder in the ISA Server installation folder. A typical path for this location is %ProgramFiles%\Microsoft ISA Server\ISALogs\.

You can modify many of the default settings for these three service logs. For example, you can modify the logging format. By default, ISA Server logs to a file in W3C format, but you can also choose to log to a file in ISA format. A third option is to log to a database in ODBC format. Another property you can modify is the frequency of log reports. You can configure ISA Server to generate a log report daily, monthly, weekly, or yearly. Other properties you can modify in ISA Server logging include the specific fields to generate in the log report, and the location to store the log file.

Logging properties are modified in ISA Management in the Logs folder of the Monitoring Configuration node. Figure 9.6 shows the three service logs you can configure when the Logs folder is selected.


Figure 9.6 Managing logs in ISA Management

Properties for each service log can be configured by double-clicking any one of the service log icons in the details pane. Figure 9.7 shows the Log tab associated with the Properties dialog box of a service log. This tab allows you to configure the log format and storage location.


Figure 9.7 The Log tab of a service log's properties

Figure 9.8 shows the Fields tab associated with the Properties dialog box of a service log. This tab allows you to specify which fields are included in the log report.


Figure 9.8 The Fields tab of a service log's properties

When a service log is enabled, logs are generated for each server in the array. The ISA Server reporting system then centralizes the logs, collecting data from all the servers and combining them into a single report.

Logging to a File

You can save ISA Server logs to a file in either of the following formats:


W3C format

ISA format


Although the logging configuration is array-wide, log files are created on every ISA Server in the array. You can specify the location of a log file in the Options dialog box, as shown in Figure 9.9, which you access by clicking the Options button in the specific service log's Properties dialog box.


Figure 9.9 Specifying a log file location

The default location for the log file is the ISALogs folder. When you leave this option selected, the log file is saved to the same location within the ISA Server installation folder on every ISA Server computer in the array. If you specify another folder, however, the path you specify for the log file must exist on every server in the array.

It is recommended that you log to NT file system (NTFS) partitions so that the log files benefit from advanced file system features like NTFS security and data compression.

W3C Format

W3C logs contains both data and directives describing the version, date and logged fields. Because the fields are described in the file, unselected fields are not logged. The tab character is used as delimiter. Date and time are displayed in Greenwich Mean Time (GMT). Figure 9.10 shows part of a Web Proxy log file in W3C format.


Figure 9.10 A Web Proxy log file in W3C log format

ISA Format

ISA format contains only data with no directives. All fields are always logged; unselected fields are logged with a dash to indicate that they are empty. The comma character is used as delimiter. The Date and Time fields display local time. A sample Firewall service log file in ISA format is shown in Figure 9.11.


Figure 9.11 A Firewall service log file in ISA format

Log File Names

A log file name is derived from the name of the service being logged, the log file format, and the date of the log.

The first three letters of the service log file name indicate the service being logged. FWS indicates the Firewall service, WEB indicates the Web Proxy service, and IPP indicates IP packet filters. This is followed by the letters EXT if the file is in the W3C extended log file format. (A file in ISA Server file format is designated by the absence of the letters EXT.) Next in the file name is a letter indicating the frequency of the log: the letter D represents a daily log, the letter W indicates a weekly log, the letter M represents monthly, and the letter Y indicates a yearly log. Finally, the date of the log file follows in the form yyyymmdd. The date May 21, 2002 would thus be represented as 20020521, and a daily W3C Web Proxy service log created on that date would be named WEBEXTD20020521.log. A monthly Firewall service log file in ISA format created on the same date would be named FWSM20020521.log.

Log File Options

In order to save the amount of disk space required for the log files, ISA Server allows you to configure the following options:


Compress log files to reduce the disk space required. Files are compressed only if stored on NTFS partitions.

Limit the number of log files saved on all the servers in the array.


To configure logging to a file


In the console tree of ISA Management, expand the Monitoring Configuration node and click the Logs folder.
In the details pane, right-click the applicable service, and then click Properties.
On the Log tab, click the File radio button.
In the Format drop-down list box, select the log format.
In the Create A New File drop-down list box, click a time period that specifies how often a new log file will be created.
To modify the location of the log file, click the Options button and then do one of the following:
To save the file to the default folder, click the ISALogs Folder (In The ISA Server Installation Folder) radio button.
To save the file to another folder, click the Other Folder radio button and then type a folder name in the text box or click Browse and find a storage location.


To set the maximum number of log files, click the Limit Number Of Log Files check box, and in the associated text box, type the maximum number of log files to keep for the array.
To compress the log files, click the Compress Log Files check box.

Logging to a Database

You can store ISA Server logs to an ODBC database instead of a file. You configure this option by selecting the Database radio button on the Log tab of a service log's Properties dialog box.

Before configuring ISA Server to log data to a database, you must create a database and tables to support logging. The root folder of the ISA Server CD-ROM includes the following sample scripts that create tables and indexes to support database logging:


Pf.sql defines the packet filter log table called PacketFilterLog and indexes to support table queries.

W3PROXY.sql defines the Web Proxy service log table WebProxyLog and indexes to support table queries.

FWSRV.sql defines the Firewall service log table called FirewallLog and indexes to support table queries.


For example, to create a SQL Server 2000 log database named ISALogs that can grow to a maximum size of 100 MB and a transaction log file that can grow to a maximum size of 50 MB, perform the following steps:


Open SQL Query Analyzer and connect to the SQL Server where you will create the log database.
In the Editor pane of the Query window, enter the following Transact-SQL code:


USE master
GO
CREATE DATABASE ISALogs

This code creates a database with the name ISALogs.


Directly beneath the code that you just entered in the Editor pane, enter the following code:


ON PRIMARY
(
NAME = ISALog_dat,
FILENAME = 'C:\Program Files\Microsoft SQL Server\MSSQL\Data\ISALog.mdf',
SIZE = 50,
MAXSIZE = 100,
FILEGROWTH = 1
)

This code defines the primary file. The logical name of the file is ISALog_dat. The path and file name used by the operating system is C:\Program Files\Microsoft SQL Server\MSSQL\Data\ISALog.mdf. The initial size of the file is 50 MB, and the maximum size that the file can grow is 100 MB. The growth increment of the file is 1 MB.

If the path specified in the code is different on your computer, you must specify the correct path in the code, or leave the code as is and create the file path on the C: drive before running this code in step 5.


Directly beneath the code that you just entered in the Editor pane, enter the following code:


LOG ON
(
NAME = ISALog_log,
FILENAME = 'C:\Program Files\Microsoft SQL Server\MSSQL\Data\ISALog.ldf',
SIZE = 25,
MAXSIZE = 50,
FILEGROWTH = 1
)
GO

This code defines the log file. The logical name of the file is ISALog_log. The path and file name used by the operating system is C:\Program Files\Microsoft SQL Server\MSSQL\Data\ISALog.ldf. The initial size of the file is 25 MB, and the maximum size that the file can grow is 50 MB. The growth increment of the file is 1 MB.

If the path specified in the code is different on your computer, you must specify the correct path in the code, or leave the code as is and create the file path on the C: drive before running this code in step 5.


Execute all the code as one statement.

The Messages tab of the Results pane displays two messages, one saying that 100 MB of disk space has been allocated to the primary file and the other saying that 50 MB of disk space has been allocated to the transaction log file.


Verify that the current database is ISALogs, then open and execute each of the .sql files appearing on the root of the ISA Server CD-ROM.
The log tables and indexes are created for each service.

After you create the database and the log tables and indexes, you must set up the ISA Server computer to use the data source name. Perform the following steps:


On the ISA Server computer, click Start, point to Programs, point to Administrative Tools, and then click Data Sources (ODBC).
On the System DSN tab, click the Add button.
In the Create New Data Source screen, select the appropriate driver for the database.

If you are using SQL Server 2000, select SQL Server.


Follow the on-screen instructions to create the database.

The data source name is the one you enter in the ODBC data source (DSN) text box when you configure the log database properties.

Do not use spaces in the data source name or ISA Server services will stop.


Follow these steps to configure logging to a database:


In the console tree of ISA Management, expand the Monitoring Configuration node and click the Logs folder.
In the details pane, right-click the applicable service, and then click Properties.
On the Log tab, click the Database radio button.
Confirm or modify the following parameters:
ODBC data source (DSN)
Table name

This is the name of each table as specified in the .sql files on the root of the ISA Server CD-ROM. For example, the table name for the Packet Filters log is PacketFilterLog.


User account


Click the Set Account button, type the user name in the User text box, and type the password in the Password and Confirm Password text boxes. You can use a SQL Server logon ID or a Windows user account, depending on how you configure SQL Server authentication.

Logging Packets

All packets that pass through ISA Server can be logged to the packet filter log. You can configure exactly which packets are logged by following these guidelines:


By default, when you install ISA Server, all dropped packets are logged to the packet filter log. When you disable packet filtering, logging is turned off altogether.

You can configure ISA Server to disable logging for packets that are dropped due to any specific block-mode IP packet filter.

You can configure ISA Server to log all packets—allowed and dropped—that are communicated by way of ISA Server. When you enable logging of allowed packets, all packets that pass through ISA Server are logged in the packet filter log.


Logging allowed packets and blocked packets causes a considerable load on the server.

Follow these steps to log allowed packets:


In the console tree of ISA Management, expand the Access Policy node, right-click the IP Packet Filters folders, and then click Properties.

On the Packet Filters tab, select the Log Packets From 'Allow' Filters check box.


You can only log allowed packets if packet filtering is enabled.

Follow these steps to log blocked packets:


In the console tree of ISA Management, expand the Access Policy node and click the IP Packet Filters folder.

On the View menu, confirm that the Advanced option is selected.

In the details pane, right-click the block-mode IP packet filter whose packets you want to log and then click Properties.

On the General tab, select the Log Any Packets Matching This Filter check box.


Firewall and Web Proxy Log Fields

When you select the Fields tab of a service log's properties, you can select any of the available number of fields to log. By default, the packet filters log reports nine of a possible twelve fields. Also by default, the Firewall service and Web Proxy service logs report 18 of a possible 27 fields. You can change these default selections at any time or restore the defaults by clicking the Restore Defaults button.

Follow these steps to specify fields to log:


In the console tree of ISA Management, expand the Monitoring Configuration node and click the Logs folder.
In the details pane, right-click the applicable service, and then click Properties.
Click the Fields tab.

You complete the following tasks from this tab:


To select specific fields for logging, enable the appropriate check box.
To clear all the check boxes in the field list, click the Clear All button.
To enable all the check boxes in the field list, click the Select All button.
To enable a default set of fields in the ISA Server log file, click the Restore Defaults button.


Table 9.2 lists the fields that you can include in each of the ISA Server Firewall and Web Proxy log files. The field name noted in parentheses is relevant when you use the 3C extended log file format. For W3C names, note that the prefix "c" represents client actions, "s" represents server actions, "cs" represents client-to-server actions, "sc" represents server-to-client actions, and "r" represents remote actions.

Some fields are relevant for either Web Proxy Service or Firewall Service, but not both. For each of these fields, the table indicates which service the field applies to. Note that, in ISA Server log format, an empty field appears in the log with a hyphen (-). In W3C log file format, the field does not appear at all if it is not applicable to the service.

Tables 9.2 through 9.6 list possible values for some of these fields. You can view these field names through the Monitoring Configuration node in ISA Management. To do so, click on the Logs folder, and then double-click on the log files belonging to the ISA Server Firewall Service and the ISA Server Web Proxy Service. Finally, click on the Fields tab to review the fields available for logging.

Table 9.2 Available Logging Fields for Firewall and Web Proxy Services
















































































































































Field position
Descriptive name (field name)
Description

1

Client IP (c-ip)

The IP address of the requesting client.

2

Client user name
(cs-username)

Account of the user making the request. If
ISA Server Access Control is not being
used, ISA Server uses anonymous.

3

Client agent (c-
agent)

The client application type sent by the client
in the Hypertext Transfer Protocol
(HTTP) header. When ISA Server is actively
caching, the client agent is ISA Server.

For Firewall service, this field includes
information about the client's operating
system. See Table 9.3 for possible Client
Agent values.

4

Authorization status
(sc-authenticated)

Indicates whether or not client has been
authenticated with ISA Server. Possible values
are Y and N.

5

Date (date)

The date that the logged event occurred.

6

Time (time)

The time that the logged event occurred.
In W3C format, this is in Greenwich mean
time.

7

Service name (s-
svcname)

The name of the service that is logged.
w3proxy indicates outgoing Web requests
to the Web Proxy service. fwsrv indicates
Firewall service. w3reverseproxy indicates
incoming Web requests to the Web Proxy
service.

8

Computer name
(s-computername)

The name of the computer running ISA
Server. This is the computer name that is
assigned in Windows 2000.

9

Referring server
name (cs-referred)

If ISA Server is used upstream in a chained
configuration, this indicates the server
name of the downstream server that sent
the request.

10

Destination name
(r-host)

The domain name for the remote computer
that provides service to the current connection.
For the Web Proxy service, a
hyphen (-) in this field may indicate that an
object was retrieved from the Web Proxy
server cache and not from the destination.

11

Destination IP (r-
ip)

The network IP address for the remote
computer that provides service to the current
connection. For the Web Proxy service,
a hyphen (-) in this field may indicate that
an object was sourced from the Web Proxy
server cache and not from the destination.
One exception is negative caching. In that
case, this field indicates a destination IP
address for which a negative-cached object
was returned.

12

Destination port
(r-port)

The reserved port number on the remote
computer that provides service to the current
connection. This is used by the client
application initiating the request.

13

Processing time
(time-taken)

This indicates the total time, in milliseconds,
that is needed by ISA Server to process
the current connection. It measures
elapsed server time from the time that the
server first received the request to the time
when final processing occurred on the
server—when results were returned to the
client and the connection was closed. For
cache requests that were processed
through the Web Proxy service,processing
time measures the elapsed server time
needed to fully process a client request and
return an object from the server cache to
the client.

14

Bytes sent (cs-
bytes)

The number of bytes sent from the internal
client to the external server during the current
connection. A hyphen (-), a zero (0),
or a negative number in this field indicates
that this information was not provided by
the remote computer or that no bytes were
sent to the remote computer.

15

Bytes received (sc-
bytes)

The number of bytes sent from the external
computer and received by the client
during the current connection. A hyphen (-
), a zero (0), or a negative number in this
field indicates that this information was not
provided by the remote computer or that
no bytes were received from the external
computer.

16

Protocol name (cs-
protocol)

Specifies the application protocol used for
the connection. Common values are HTTP,
File Transfer Protocol (FTP), Gopher, and
Secure Hypertext Transfer Protocol
(HTTPS).

For Firewall service, the port number is
also logged.

17

Transport (cs-
transport)

Specifies the transport protocol used for
the connection. Common values are Transmission
Control Protocol (TCP) and UDP.

18

Operation (s-operation)

Specifies the application method used. For
Web Proxy, common values are GET, PUT,
POST, and HEAD.

For Firewall service, common values are
CONNECT, BIND, SEND, RECEIVE, GHBN
(GetHostByName), and GHBA (GetHostByAddress).

19

Object name (cs-
uri)

For the Web Proxy service, this field shows
the contents of the Uniform Resource Locator
(URL) request. This field applies only to
the Web Proxy service log.

20

Object MIME (cs-
mime-type)

The Multipurpose Internet Mail Extensions
(MIME) type for the current object. This
field may also contain a hyphen (-) to indicate
that this field is not used or that a
valid MIME type was not defined or supported
by the remote computer. This field
applies only to the Web Proxy service log.

21

Object source (s-
object-source)

Indicates the source that was used to
retrieve the current object. This field
applies only to the Web Proxy service log.
See Table 9.4 for a list of possible values.

22

Result code (sc-
status)

This field can be used to indicate: For values
less than 100, a Windows (Win32)
error code For values between 100 and
1,000, an HTTP status code For values
between 10,000 and 11,004, a Winsock
error code See Table 9.5 for a list of possible
values.

23

Cache info (s-
cache-info)

This number reflects the cache status of
the object, which indicates why the object
was or was not cached. This field applies
only to the Web Proxy service log. See
Table 9.6 for a list of possible values.

24

Rule #1 (rule#1)

This reflects the rule that either allowed or
denied access to the request, as follows: If
an outgoing request is allowed, this field
reflects the protocol rule that allowed the
request. If an outgoing request is denied
by a protocol rule, this field reflects the
protocol rule. If an outgoing request is
denied by a site and content rule, this field
reflects the protocol rule that would have
allowed the request. If an incoming
request was denied, this field reflects the
Web publishing or server publishing rule
that denied the request. If no rule specifically
allowed the outgoing or incoming
request, the request is denied. In this case,
the field is empty.

25

Rule #2 (rule#2)

This reflects the second rule that either
allowed or denied access to the request. If
an outgoing request is allowed, this field
reflects the site and content rule that
allowed the request. If an outgoing
request is denied by a site and content
rule, this field reflects the site and content
rule that denied the request. If no rule
specifically allowed the outgoing or incoming
request, the request is denied. In this
case, the field is empty.

26

Session ID (sessionid)

This identifies a session's connections.For
Firewall clients, each process that connects
through the Firewall service initiates a session.
For SecureNAT clients, a single session
is opened for all the connections that
originate from the same IP address. This
field is not included in the Web Proxy service
log. This field applies only to the Firewall
service log.

27

Connection ID
(connectionid)

This identifies entries that belong to the
same socket. Outbound TCP usually has
two entries for each connection: when the
connection is established and when the
connection is terminated. UDP usually has
two entries for each remote address. This
field is not included in the Web Proxy service
log. This field applies only to the Firewall
service log.


Table 9.3 presents the possible values for the client agent (c-agent in W3C format) parameter reported by the ISA Server Firewall service log. This expands on the information presented in the third row of Table 9.2. When all fields are selected to be logged, one of the values listed in Table 9.3 appears in the third field position of the log. This value indicates the operating system used by the client.

Table 9.3 Operating System Values




























Value
Description

0:3.95

Windows 95 (16-bit)

2:4.10

Windows 98 (32-bit)

2:4.0

Windows 95 (32-bit)

3:4.0

Windows NT 4.0

3:5.0

Windows 2000


Table 9.4 lists the possible values for the object source (s-object-source in W3C format) parameter reported by the ISA Server Web Proxy service log. This expands on the information presented in row 21 of Table 9.2. When all fields are selected to be logged, one of the values listed in Table 9.4 appears in the 21st field position of the log. This value indicates which source was used to retrieve the current object.

Table 9.4 Object Source Values












































Source values
Description

0

No source information is available.

Cache

Source is the cache. Object returned from
cache.

Inet

Source is the Internet. Object added to cache.

Member

Returned from another array member.

NotModified

Source is the cache. Client performed an If-Modified-Since
request and object had not been
modified.

NVCache

Source is the cache. Object could not be verified
to source.

Upstream

Object returned from an upstream proxy cache.

Vcache

Source is the cache. Object was verified to
source and had not been modified.

VFInet

Source is the Internet. Cached object was verified
to source and had been modified.


Table 9.5 lists some of the possible values for the result code (or sc-status in W3C format) parameter reported by the ISA Server Firewall and Web Proxy service logs. This expands on the information presented in row 22 of Table 9.2.

This value is often used to indicate a Windows error code (for values less than 100), an HTTP status code (for values between 100 and 1,000), or a Winsock error code (for values between 10,000 and 11,004). A connection usually has two log entries: the first entry is for when the connection is established; the second entry is for when the connection is terminated. The first entry is logged with a result code of either 0 (Successful Connection) or 13301 (Connection Refused) and a byte count of 0. The second entry is logged with a result code of either 20000 (Normal Connection Termination) or 20001 (Unexpected Connection Termination) and the corresponding byte count.

For additional information about error codes, consult the Microsoft Developers Network online at http://msdn.microsoft.com, or Microsoft Technet at http://www.microsoft.com/technet.

Table 9.5 Sample Result Code Values








































































































Value
Description

0

Successful connection

200

OK - Successful connection

201

Created

202

Accepted

204

No content

301

Moved permanently

302

Moved temporarily

304

Not modified

400

Bad request

401

Unauthorized

403

Forbidden

404

Not found

500

Internal server error

501

Not implemented

502

Bad gateway

503

Service unavailable

10054

Connection reset by remote side

10060

Connection timed out

10061

Connection refused by destination

10065

Host unreachable

11001

Host not found

13301

Connection rejected (due to filtering or protocol
permissions)

20000

Normal connection termination

20001

Unexpected connection termination


Table 9.6 lists the possible values for the cache info (s-cache info in W3C format) parameter reported by the ISA Server Web Proxy service log. This expands on the information presented in row 23 of Table 9.2. This value indicates why the object was or was not cached.

Table 9.6 Cache Info Values




































































































































Value
Description

0x00000001

Request should not be served from the cache

0x00000002

Request includes the IF-MODIFIED-SINCE
header

0x00000004

Request includes one of these headers: CACHE-
CONTROL:NO-CACHE or PRAGMA:NO-CACHE

0x00000008

Request includes the AUTHORIZATION header

0x00000010

Request includes the VIA header

0x00000020

Request includes the IF-MATCH header

0x00000040

Request includes the RANGE header

0x00000080

Request includes the CACHE-CONTROL: NO-
STORE header

0x00000100

Request includes the CACHE-CONTROL: MAX-
AGE, or CACHE-CONTROL: MAX-STALE or
CACHE-CONTROL: MIN-FRESH header

0x00000200

Cache could not be updated.

0x00000400

IF-MODIFIED-SINCE time specified in the
request is newer than cached LASTMODIFIED
time

0x00000800

Request includes the CACHE-CONTROL: ONLY-
IF-CACHED header

0x00001000

Request includes the IF-NONE-MATCH header

0x00002000

Request includes the IF-UNMODIFIED-SINCE
header

0x00004000

Request includes the IF-RANGE header

0x00008000

More than one VARY header

0x00010000

Response includes the CACHE-CONTROL: PUBLIC
 header

0x00020000

Response includes the CACHE-CONTROL: PRIVATE
 header

0x00040000

Response includes the CACHE-CONTROL: NO-
CACHE or PRAGMA: NO-CACHE header

0x00080000

Response includes the CACHE-CONTROL: NO-
STORE header

0x00100000

Response includes either the CACHE-CONTROL:
MUST-REVALIDATE or CACHE-CONTROL:
PROXY-REVALIDATE header

0x00200000

Response includes the CACHE-CONTROL: MAX-
AGE or S-MAXAGE header

0x00400000

Response includes the VARY header

0x00800000

Response includes the LAST-MODIFIED header

0x01000000

Response includes the EXPIRES header

0x02000000

Response includes the SET-COOKIE header

0x04000000

Response includes the WWW-AUTHENTICATE
header

0x08000000

Response includes the VIA header

0x10000000

Response includes the AGE header

0x20000000

Response includes the TRANSFER-ENCODING
header

0x40000000

Response should not be cached.


Packet Filter Log Fields

You can use the ISA Server log to monitor and analyze the status of the packet filters. Table 9.7 lists the fields that you can include in each of the Packet Filters log files. You can view these field names through the Monitoring Configuration node in ISA Management. To do so, click on the Logs folder, and then double-click on Packet Filters log file. Finally, click on the Fields tab to review the fields available for logging.

Table 9.7 Log Fields for Packet Filtering





































































Field position
Descriptive name (field name)
Description

1

Date (date)

Date the packet was
received.

2

Time (time) (service
info fields)

The time the packet was
received

3

Source IP
(source-ip)

The IP address of the source
(remote) computer. The
source computer is the computer
from which the data
packets originated.

4

Destination IP
(destination-ip)

The IP address of the destination
(local) computer. The
destination computer is usually
the ISA Server computer.

5

Protocol (protocol)

The particular transport level
protocol that is used during
the connection, such as TCP,
UDP, or Internet Control Message
Protocol (ICMP).

6

Source port (or
protocol type, if
ICMP) (param#1)

For TCP and UDP protocols,
the remote port used to create
a connection. For ICMP
protocol, the type used when
creating the connection.

7

Destination port
(or protocol code,
if ICMP)
(param#2)

For TCP and UDP protocols,
the local port used to create
a connection. For ICMP protocol,
the code used when creating
the connection.

8

TCP flags (tcp-
flags)

For a TCP data packet, represents
the TCP flag value in
the IP header. The possible
values are FIN, SYN, RST,
PSH, ACK, and URG.

9

Rule (filter-rule)

Indicates whether the packet
was accepted (1) or dropped
(0). By default, only dropped
packets are logged.

10

Interface IP
address (interface)

Interface on which the packet
was received; usually only
one interface.

11

Header (ip-
header)

The entire IP header of the
data packet that generated
the alert event. The IP
header is logged in hexadecimal
format.

12

Payload (payload)

A listing of a portion of the
data packet (after the IP
header). The IP packet is
logged in hexadecimal format.


Practice: Reading Web Logs

Exercise: Analyzing a Web Log

To prepare for this exercise, open the sample Web Proxy log named WEBEXTD20010129, which can be found in the \Exercises\Chapter9\ folder of the Supplemental Course Materials CD-ROM accompanying this book. The log file is in W3C format. Once you have opened the file, use the information in this chapter to answer the following questions. Be sure to provide the specific code value or values that are essential to answer each question.


For the first Web connection in the log (initiated at 02:31:35), was the traffic heavier from the client to the server, or vice-versa?

For this same connection, was the Web request fulfilled from the cache or from the Internet?

At what time was a connection reset by the remote side?

Was the object requested at 02:31:45 found in the cache? Had the object been modified? What source was ultimately used to fulfill the request?

Which Web operation was conducted at 04:55:14? Was the destination found?


Lesson Summary

Three logs are built into ISA Server that monitor the activity of ISA Server packet filters, the Firewall service, and the Web Proxy service. By default, one new log file is generated for each service per day. Also by default, each new log file is stored in the ISALogs folder below the ISA Server installation folder. Logging properties are modified in ISA Management in the Logs folder of the Monitoring Configuration node.

You can save ISA Server logs either to a file or to an ODBC database. When you save to a file, you can specify either the W3C format or the ISA format. To conserve disk space required for the log files, ISA Server allows you to compress log files and to limit the number of log files saved on all the servers in the array.

ISA Server allows you to specify which fields to report to the service logs. You should consult ISA Server Help to determine which fields are available for each service and what each field value represents.

/ 91