Best Practices: Logging

Microsoft Internet Security and Acceleration Server2004

Microsoft Corporation

Additional Information23

Information in this document, including URL and other Internet Web site references, is subject to change without notice. The example companies, organizations, products, people, and events depicted herein are fictitious. No association with any real company, organization, product, person, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

© 2005 Microsoft Corporation. All rights reserved.

Microsoft is a registered trademark of Microsoft Corporation in the United States and/or other countries/regions. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Contents

Contents

Introduction

Introduction

Log Storage Format

Selecting Log Format

File

MSDE Database

SQL Database

General Logging Best Practices

General Security Best Practices

General Capacity Planning Guidelines

Log Failure

Maintaining Logs

Reviewing Logs

Log Maintenance

Configuring Logs During Flood Attacks

Connectivity Failure

SQL Data and Transaction Log Location

SQL Logging

Security Best Practices for Logging to SQL Server

Connectivity Failure

Capacity Planning for SQL Logs

Remote SQL Logging

Special Considerations for SQL Logging

Data Encryption for the SQL Log

MSDE Logging

Capacity Planning for MSDE Logs

Compressed Drives

Additional Information

Introduction

This guide is designed to provide you with essential information about logging for Microsoft® Internet Security and Acceleration (ISA) Server2004 Standard Edition and ISA Server2004 Enterprise Edition. The guide reviews the logging formats, describes specific logging maintenance considerations, details capacity guidelines, and outlines special considerations when logging to a Microsoft SQL Server™ database.

This guide focuses explicitly on best practices to follow when configuring logging as part of your ISA Server deployment. You should use this guide as part of your overall deployment strategy for ISA Server2004. Specifically, this guide provides detailed answers to the following questions:

·  What is the most appropriate logging format for my specific deployment?

·  How should I optimally secure the logs?

·  How should I maintain the logs?

·  What special considerations are there when logging to an SQL database?

·  What special considerations are there when logging to a Microsoft SQLServer2000 Desktop Engine (MSDE2000) database?

Log Storage Format

You can use the ISA Server2004 log viewer to monitor and analyze traffic and troubleshoot network activity. The log viewer can display log entries as they occur (live). In this case, each time an event is logged, it is displayed in the log viewer.

ISA Server creates the following logs:

·  Firewall log

·  Web Proxy log

·  SMTP Message Screener log

The fields that can be logged in these files are detailed in online Help.

ISA Serverlog information can be viewed in a log viewer, directly from ISA Server Management. In addition, the log information can be stored in one of the following formats:

·  File

·  MSDE database

·  SQL database

Selecting Log Format

Each log format supported by ISA Server features different advantages. Use the table that follows to select the optimal log format, based on your specific deployment.

Issues / File / MSDE / SQL /
Format / Two modes: Internet Information Services (IIS) and World Wide Web Consortium (W3C) standardized text formats / Format used to store Firewall and Web Proxy log entries / Format used to store Firewall and Web Proxy log entries
Network bandwidth consumption / Because logging is local, no network bandwidth consumption / Because logging is local, no network bandwidth consumption / Because logging is to remote server, sufficient network bandwidth is required, preferably 1gigabyte (GB) connectivity between ISA Server and computers running SQL Server
Log size / Limited to 2GB and switched automatically / Limited to 1.5GB and switched automatically / No limit, and configured by the user, based on retention and maintenance policy
Maintenance / Log maintenance feature enforces log size and cleans out log, as appropriate / Log maintenance feature enforces log size and cleans out log, as appropriate / Database administrator responsible for maintenance
Security / Log failure stops Firewall service / Log failure stops Firewall service
MSDE runs on the ISA Server computer
MSDE instance can only be accessed locally / Log failure stops Firewall service
Account used for logging must have permissions on the computer running SQL Server
Data is encrypted on the connection to the computer running SQL Server
SQL Server and ISA Server are mutually authenticated
Historical or offline log viewer / Not supported / Supported / Supported (ISA Server Enterprise Edition only)
Online log viewer / Supported / Supported / Supported
Performance / Best / Good / Depends on the following:
Number of ISA Server computers logging
SQL Server settings
Bandwidth allocation
Centralized logging (ISA Server Enterprise Edition only) / Central log for all array members / Central log for all array members / Central log for all arrays in the enterprise

File

You can save ISA Server logs to a file, in one of the following formats:

·  World Wide Web Consortium(W3C) format

·  ISA Server format

The SMTP Message Screener log information is saved by default in file format. It cannot be saved to a database.

Log files are limited to 2GB. When a file exceeds this limit, ISA Server automatically creates a new file. Similarly, a new log file is created at the beginning of every day.

W3C logs contain both data and directives, describing the version, date, and logged fields. Because the fields are described in the file, unselected fields are not logged. The tab character is used as a delimiter. Date and time are in Coordinated Universal Time (UTC).

ISA Server format contains only data with no directives. All fields are always logged. Unselected fields are logged with a dash, to indicate that they are empty. The comma character is used as a delimiter. The date and time fields are in local time.

By default, the log information for log files is stored in the ISALogs folder, under the ISA Server installation folder. You can change the location. If you specify a relative directory, the log is saved in the ISALogs folder, under the ISA Server installation folder. If you specify an absolute path, the actual log folder may be different on every server.

MSDE Database

MSDE2000 logs are limited to 2GB. When a log exceeds this limit, ISA Server automatically creates a new database. Similarly, a new log is created at the beginning of every day. The log viewer, however, displays all the data as if it were in a single database.

When you select to save the logs to an MSDE2000 database, logs are saved in databases named ISALOG_yyyymmdd_xxx_nnn where:

·  yyyy represents the year that the log database refers to.

·  mm represents the month that the log database refers to.

·  dd represents the day that the log database refers to.

·  xxx represents the type that the log database refers to. This can be one of the following:

·  FWS. Represents the Firewall log.

·  WEB. Represents the Web Proxy log.

·  EML. Represents the e-mail (SMTP) log.

·  nnn is a number that distinguishes between log databases that refer to the same day.

For each log database, two files are created: ISALOG_yyyymmdd_xxx_nnn.mdf and ISALOG_yyyymmdd_xxx_nnn.ldf.

ISA Server prepares, in advance, log databases for the next day. When you save logs to MSDE2000, a database that refers to the next day always exists.

By default, the log information for MSDE2000 logs and log files is stored in the ISALogs folder, under the ISA Server installation folder. You can change the location. If you specify a relative directory, the log is saved in the ISALogs folder, under the ISA Server installation folder. If you specify an absolute path, the actual log folder may be different on every server.

SQL Database

You can save log information to an SQL database. Saving the log information to an SQL database is useful for remote logging.

When you configure logging to an SQL database, you specify the database connection parameters, and credential information.

The system policy rule named Allow remote logging using NetBIOS transport to trusted servers must be enabled to log to an SQL database.

Important

For maximum security and functionality, we strongly recommend consulting with a SQLServer database administrator when using SQL logging.

General Logging Best Practices

This section details recommended general best practices to follow when using the ISA Server logs. It also describes techniques to implement in case of log failure or connectivity failure.

General Security Best Practices

Follow these guidelines to help secure ISA Server logs:

·  Save the logs to a separate NTFS disk partition for maximum security. Only administrators of the ISA Server computer should have access to the logs.

·  If you are logging the information to a remote database, configure encryption and data signature for the log information being copied to the remote database.

General Capacity Planning Guidelines

Regardless of log format, we recommend that you allocate 8GB for logging. Depending on your specific logging capacity, in addition to the 8GB, we recommend that you further allocate enough space for an additional day and a half of logging. The amount of space required for a day and a half of logging depends on your specific logging requirements.

Log Failure

Because ISA Server is deployed to secure your network, it is critical that logging information is always available and accurate. You should carefully monitor alerts and verify that their activity is always being logged. Check for alerts that indicate failure to log for a variety of reasons, including disk space, SQLServer connectivity issues, and others.

If log information cannot be saved for any reason, the ISA Server computer should be locked down. For this reason, a preconfigured alert for the Log Failure event stops the Microsoft Firewall service.

By default, if ISA Server cannot log activity, the Microsoft Firewall service is stopped. You can change the default behavior by configuring the log failure alert to not stop ISA Server services.

If the ISA Server computer fails, the last log records may be lost.

Maintaining Logs

After you select and configure a specific logging mechanism, follow the best practices listed in this section to maintain the logs.

Reviewing Logs

Review the logs regularly and carefully, checking for suspicious access and usage of network resources.

Log Maintenance

ISA Server has a log maintenance feature, which you can configure so that log files do not exceed specific space requirements. Use the log maintenance feature to ensure that the disk on which log information is stored does not become full.

When you log to an MSDE2000 database or to a file, you can configure how long log information should be stored on the local disk, and how much disk space should be allocated for logging.

Notes

·  You cannot set log limits for SQL database logs.

·  ISA Server checks every ten minutes that logs do not exceed the specified limits. For up to a period of ten minutes, logs might exceed the limits.

·  The log maintenance feature does not apply to the SMTP filter log.

To configure the Log Storage Limits alert definition to stop the ISA Server services, perform the following steps

1.  In the console tree of ISA Server Management, click Monitoring:

·  For ISA Server2004 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server2004, expand Arrays, expand Array_Name, and then click Monitoring.

·  For ISA Server2004 Standard Edition, expand Microsoft Internet Security and Acceleration Server2004, expand Server_Name, and then click Monitoring.

2.  In the details pane, click the Alerts tab.

3.  On the Tasks tab, click Configure Alert Definitions.

4.  In Alert Definitions, click Log storage limits, and then click Edit.

5.  On the General tab, select Enable.

6.  On the Actions tab, click Stop selected services, and then click Select.

7.  In Services, select Microsoft Firewall and Microsoft ISA Server Job Scheduler.

To configure log storage limits, perform the following steps

1.  In the console tree of ISA Server Management, click Monitoring:

·  For ISA Server Enterprise Edition, expand Microsoft Internet Security and Acceleration Server2004, expand Arrays, expand Array_Name, and then click Monitoring.

·  For ISA Server Standard Edition, expand Microsoft Internet Security and Acceleration Server2004, expand Server_Name, and then click Monitoring.

2.  In the details pane, click the Logging tab.

3.  On the Tasks tab, select the appropriate task:

·  Configure Firewall Logging. Used to configure the firewall log limits.

·  Configure Web Proxy Logging. Used to configure the Web Proxy log limits.