Blog du Tristank

So terrific that 3 of 4 readers rated it "soporific"

Blogs

ISA 2004: New-Style Log Filtering and Export

  • Comments 3
  • Likes

I covered how I usually end up filtering ISA 2000 logs in a previous post.

With ISA 2004, the game's changed!

By default, ISA will log to a local MSDE instance, and the new MMC includes a Monitoring section that includes all sorts of useful information, including the new Logging interface. (You can set ISA to log to a text file or a SQL Server instead, but I haven't tried it yet).

Using the Logging interface you're able to perform queries against live connections or stored data, and select only the criteria that interest you (say, connections from a certain client IP over the last hour), so you can skip the "try to open the 800MB proxy log file in Notepad to strip out a page or three of relevant results" step entirely! The interface doesn't list every possibly useful field by default (you can add any available columns if you'd like to see them), but once you have a summary result set you're happy with, you can hit the "Copy All Results to Clipboard" Task Pane link, and the hidden information becomes visible again in the usual Firewall Log style, complete with column headings.

What does appear to be missing is a simple way to export the portion of the log on display directly to a file, but going via the Clipboard seems reasonable for most troubleshooting usage scenarios (eg, the ones I'm mostly interested in), given that filtering can show you exactly what you're interested in.

Filters can also be saved and loaded if you have one you're particularly fond of.

Comments
  • I have tried it with the msde instance. ISA saves the IP adress not as a simple string but coded in a bigint :( I'm looking for a way to decode it some way. suggestions to g.duquesnoy@svbgroup.nl

  • I haven't tried getting at the MSDE instance directly (I just go through the ISA UI).

    Google for "long int ip address dotted" - it got me some sample VB code and some pseudocode.

    If you copy and paste from the logging interface in the MMC, it does this transparently for you.

  • this is very helpful, thnx!