Overview of Microsoft TMG and ISA Server Log Auditing
Using InTrust, you can collect and report on audit data from Microsoft Forefront Threat Management Gateway and ISA Server.
The following versions are supported:
- Forefront Threat Management Gateway 2010
- ISA Server 2006
- ISA Server 2004
- ISA Server 2000
For specifics about product version support, see System Requirements.
InTrust allows you to gather event data recorded by Microsoft Internet Security and Acceleration Server (ISAS) to the following audit trails:
- Microsoft Forefront Threat Management Gateway Server Web Proxy Log
- Microsoft Forefront Threat Management Gateway Server Firewall Log
- Microsoft ISA Server Web Proxy Log
- Microsoft ISA Server Firewall Log
- Windows Application Log (events generated by ISAS)
- Windows Security Log (events generated by ISAS)
Note: When you collect data for Microsoft Forefront Threat Management Gateway Server, the names of data sources that are displayed in InTrust Repository Viewer and InTrust reports are "Microsoft ISA Server Web Proxy Log" and "Microsoft ISA Server Firewall Log" by design.
InTrust collects Web Proxy and Firewall logs written into the files of the following formats:
- W3C Extended File Format: contains both data and directives describing the version, date, and logged fields. Because the fields are described in the file, unselected fields are not logged. The tab character is used as delimiter. Date and time are in GMT. Logs in this format are collected only from ISA, not from Threat Management Gateway.
- ISA Server file format: contains only data with no directives. All fields are always logged; unselected fields are logged as dash to indicate they are empty. The comma character is used as delimiter. The date and time fields are in local time.
Also, InTrust can collect Web Proxy and Firewall logs data stored in the MSDE database format. When you select to save the logs to an MSDE database, logs are saved in databases named ISALOG_yyyymmdd_xxx_nnn where:
- yyyymmdd stands for the date the log database refers to (year, month, and day)
- xxx represents the type that the log database refers to:
- FWS represents the Firewall log
- WEB represents the Web Proxy log
- nnn is a number that distinguishes between log databases that refer to the same day
For each log database, two files are created: ISALOG_yyyymmdd_xxx_nnn.mdf and ISALOG_yyyymmdd_xxx_nnn.ldf.
By default, the log information for MSDE logs and for the log files is stored in the ISALogs folder, under the ISA Server installation folder. If you change the location, the actual log folder may be different on every server.
Configuring TMG and ISA Server Logging
To configure logging, for example, of Microsoft ISA Server 2006, carry out the following:
- In the console tree of ISA Server Management, click Monitoring:
- For ISA Server Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array_Name, and then click Monitoring.
- For ISA Server Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Server_Name, and then click Monitoring.
- In the details pane, click the Logging tab.
- On the Tasks tab, select the appropriate task:
- Configure Firewall Logging
- Configure Web Proxy Logging
- In the Properties dialog box, specify the logging options you need.
Note: To generate the most comprehensive reports, you can configure logging options so as to include all events in log. However, in this case you should consider the log size growth and plan for the log cleanup frequency. Use ISA Server logging options and InTrust gathering options to configure log retention period as you need.
Gathering Microsoft TMG and ISA Server Events with InTrust
- In InTrust Manager, select Configuration | Sites | Microsoft Windows Network, and select the All TMG and ISA Servers site.
- To automatically install agents on the site computers, select Install Agents from site's shortcut menu. Agentless gathering peculiarities are described later.
- Select the TMG and ISAS Daily Collection task, or configure a new task you need, with a gathering job involving the necessary gathering policy and site. In the task properties, select the Schedule enabled option.
- Select the TMG and ISAS Weekly Reporting task, or configure a new reporting task you need, and enable its schedule in a similar way.
Gathering Data Using Agents
To minimize impact on the network when communicating data from target computer to InTrust server, agents are recommended for data gathering.
The following rights and permissions must be assigned to the InTrust agent account if the agent is not running under the LocalSystem account:
- Read permission to the TMG or ISA server (or server array) configuration.
- Read permission to the HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation registry key.
- Read and List Folder Contents permissions to log file folders; the Delete permission must also be granted if the Clear log files after gathering option is turned on for the data source.
Caution: To collect TMG logs in SQL Server Express format, make sure that the InTrust agent runs under an account that has read access to the log database.