Microsoft ISA Log Configuration Options
Use the reference information to configure the WinCollect plug-in for Microsoft ISA.
Supported Versions Of Microsoft ISA
The Microsoft ISA plug-in for WinCollect supports the following software versions:
Microsoft ISA Server 2006
Microsoft Forefront Threat Management Gateway 2010
Supported Microsoft ISA or TMG Server Log Formats
Microsoft ISA and Forefront Threat Management Gateway installations create individual firewall and web proxy event logs in a common log directory. To collect these events with WinCollect, you must configure your Microsoft ISA or Microsoft Time Management Gateway to write event logs to a log directory.
Events that log to a Microsoft SQL server database are not supported by WinCollect.
WinCollect supports the following event log formats:
Web proxy logs in WC3 format (w3c_web)
Microsoft firewall service logs in WC3 format (w3c_fws)
Web Proxy logs in IIS format (iis_web)
Microsoft firewall service logs in IIS format (iis_fws)
The W3C event format is the preferred event log format. The W3C format contains a standard heading with the version information and all of the fields that are expected in the event payload. You can customize the W3C event format for the firewall service log and the web proxy log to include or exclude fields from the event logs.
Most administrators can use the default W3C format fields. If the W3C format is customized, the following fields are required to properly categorize events:
Required field |
Description |
|---|---|
Client IP (c-ip) |
The source IP address. |
Action |
Action that is taken by the firewall. |
Destination IP (r-ip) |
The destination IP address. |
Protocol (cs-protocol) |
The application protocol name, for example, HTTP or FTP. |
Client user name (cs-username) |
The User account that made the data request of the firewall service. |
Client user name (username) |
The User account that made the data request of the web proxy service. |
Microsoft ISA Directory Structure for Event Collection
The event logs that are monitored by WinCollect are defined by the root directory that you configure in your log source.
When you specify a root log directory, WinCollect evaluates the directory folder and recursively searches the subfolders to determine when new events are written to the event log. By default, the WinCollect plug-in for Microsoft ISA polls the root log directory for updated event logs every 5 seconds.
Version |
Root Log Directory |
|---|---|
Microsoft ISA 2006 |
%systemroot%\LogFiles\IAS\ |
Microsoft Threat Management Gateway |
<Program Files>\<Forefront Directory>\ISALogs\ |
Microsoft ISA Protocol Parameters
Parameter |
Description |
|---|---|
Log Source Type |
Microsoft ISA |
Protocol Configuration |
WinCollect Microsoft ISA / Forefront TMG |
Local System |
To collect local events, the WinCollect agent must be installed on the same host as your Microsoft ISA or Forefront TMG server. The log source uses local system credentials to collect and forward events to the JSA. |
Root Directory |
When you specify a remote file path, use a dollar sign, $, instead of a colon, :, to represent your drive name. Microsoft ISA 2006
Microsoft Threat Management Gateway
|
File Monitor Policy |
The Notification-based (local) option uses the Windows file system notifications to detect changes to your event log. The Polling-based (remote) option monitors changes to remote files and directories. The agent polls the remote event log and compares the file to the last polling interval. If the event log contains new events, the event log is retrieved. |
Polling Interval |
The amount of time between queries to the root log directory for new events. |