Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Microsoft ISA Log Configuration Options

Use the reference information to configure the WinCollect plug-in for Microsoft ISA.

Supported Versions Of Microsoft ISA

The Microsoft ISA plug-in for WinCollect supports the following software versions:

  • Microsoft ISA Server 2006

  • Microsoft Forefront Threat Management Gateway 2010

Supported Microsoft ISA or TMG Server Log Formats

Microsoft ISA and Forefront Threat Management Gateway installations create individual firewall and web proxy event logs in a common log directory. To collect these events with WinCollect, you must configure your Microsoft ISA or Microsoft Time Management Gateway to write event logs to a log directory.


Events that log to a Microsoft SQL server database are not supported by WinCollect.

WinCollect supports the following event log formats:

  • Web proxy logs in WC3 format (w3c_web)

  • Microsoft firewall service logs in WC3 format (w3c_fws)

  • Web Proxy logs in IIS format (iis_web)

  • Microsoft firewall service logs in IIS format (iis_fws)

The W3C event format is the preferred event log format. The W3C format contains a standard heading with the version information and all of the fields that are expected in the event payload. You can customize the W3C event format for the firewall service log and the web proxy log to include or exclude fields from the event logs.

Most administrators can use the default W3C format fields. If the W3C format is customized, the following fields are required to properly categorize events:

Table 1: W3C Format Required Fields

Required field


Client IP (c-ip)

The source IP address.


Action that is taken by the firewall.

Destination IP (r-ip)

The destination IP address.

Protocol (cs-protocol)

The application protocol name, for example, HTTP or FTP.

Client user name (cs-username)

The User account that made the data request of the firewall service.

Client user name (username)

The User account that made the data request of the web proxy service.

Microsoft ISA Directory Structure for Event Collection

The event logs that are monitored by WinCollect are defined by the root directory that you configure in your log source.

When you specify a root log directory, WinCollect evaluates the directory folder and recursively searches the subfolders to determine when new events are written to the event log. By default, the WinCollect plug-in for Microsoft ISA polls the root log directory for updated event logs every 5 seconds.

Table 2: Event Log Default Directory Structure for Microsoft ISA


Root Log Directory

Microsoft ISA 2006


Microsoft Threat Management Gateway

<Program Files>\<Forefront Directory>\ISALogs\

Microsoft ISA Protocol Parameters

Table 3: Microsoft ISA Protocol Parameters



Log Source Type

Microsoft ISA

Protocol Configuration

WinCollect Microsoft ISA / Forefront TMG

Local System

To collect local events, the WinCollect agent must be installed on the same host as your Microsoft ISA or Forefront TMG server. The log source uses local system credentials to collect and forward events to the JSA.

Root Directory

When you specify a remote file path, use a dollar sign, $, instead of a colon, :, to represent your drive name.

Microsoft ISA 2006

  • For a local directory path, use %systemroot%\LogFiles\ISA\

  • For a remote directory path, use \<ISA server IP>\%systemroot%\LogFiles\ISA\

Microsoft Threat Management Gateway

  • For a local directory path, use <Program Files>\<Forefront Directory>\ISALogs\

  • For a remote directory path, use \\<ISA server IP>\<Program Files>\<Forefront Directory>\ISALogs\

File Monitor Policy

The Notification-based (local) option uses the Windows file system notifications to detect changes to your event log.

The Polling-based (remote) option monitors changes to remote files and directories. The agent polls the remote event log and compares the file to the last polling interval. If the event log contains new events, the event log is retrieved.

Polling Interval

The amount of time between queries to the root log directory for new events.