If you’re using Microsoft Forefront Threat Management Gateway, there is a bug in the logging that causes Bytes Sent and Bytes Received to be logged in reverse. This seems to only affect the Web Proxy logs – both SQL and W3c . We noticed in a few web reports, that people were generally uploading a lot more than they were downloading. So we checked the logs and verified the buggy behavior: (more…)
Archive for the ‘Web Browsing Analysis’ Category
Why there is so much anonymous traffic in Microsoft TMG and ISA logs
Monday, July 19th, 2010
One of the most common questions we get asked by users of Microsoft TMG and ISA is why there is so much traffic attributed to the Anonymous user. Even though unauthenticated access to the web has been disabled, they still see the ‘Anonymous’ user as one of the top users in their reports.
So let’s use WebSpy Vantage to drill into that Anonymous user and find out what is going on. (more…)
Video: How to use WebSpy Vantage to report on IronPort log files
Friday, June 18th, 2010
I’ve produced a video on how to use WebSpy Vantage to report on IronPort’s Web Security Appliance’s access log files. It is quite a detailed look at the key tasks involved in setting up and using WebSpy Vantage with IronPort WSA access logs, and is therefore divided into several parts. The videos take you through the following activities:
- How to import your log files and explore the information recorded by IronPort using the Summaries screen
- How to open the customized IronPort Report Templates and Aliases
- How to generate reports
- How to import your organizational structure and report on departments
- How to setup the Web Module and publish reports
(more…)
Accessing Microsoft Forefront TMG’s Log Files (SQL Express)
Friday, June 11th, 2010
If you need to analyze and report on Microsoft Forefront Threat Management Gateway log files, the most common stumbling block is enabling access to the default SQL Express databases that contains the firewall and web proxy log files.
The log databases are stored in an SQL Express instance named MSFW. By default these databases cannot be accessed by a remote computer. I’d first like to say that we recommend changing TMG’s logging to W3C text files, as these logs are about 5-6 times faster to import, and you don’t need to worry about the steps below.
But if you need to stick with the SQL Express logging, here are the basic steps to enable access to the logs from a remote computer: (more…)
Vantage Update 2.2.0.29 – New Fields for IronPort
Friday, March 12th, 2010
We have just added support for the ‘Group’ field in IronPort’s access logs. You can add this field to your logs by adding %g in the ‘Custom Fields’ edit box (on your IronPort WSA applianceĀ under System Administration | Log Subscriptions | accesslogs).
When imported into WebSpy Vantage, the result is shown in a new summary called ‘Group’ which you can add to your reports. (more…)
8 Reasons NOT to Use Microsoft Forefront TMG’s Reporting
Monday, February 8th, 2010
I’ve been having a look through the reporting functionality included in Microsoft Forefront Threat Management Gateway to find that not much has changed from ISA Server 2006. There is some new information regarding the newly implemented URL categorization and threat management technology, but there is very little flexibility or customization for those with reporting requirements beyond general overviews cluttered with irrelevant information. (more…)
