Our website requires you install or enable flash player for full experience, you can download flash player by clicking here.
Make sure you also have javascript enabled so that flash player & menus work correctly.

Get Adobe Flash player

What would you like to monitor?

< Return to search

Using Microsoft ISA Log Files With WebSpy

Microsoft ® ISA (Internet Security and Acceleration Server) logs web and security activity to a internal 'MSDE' (Microsoft Data Engine) database by default. Both WebSpy Analyzer and WebSpy Vantage allow you to import an internal MSDE database. This option slows performance more than a plain text log format and extra configuration is required for importing 'new hits'.

It is possible to change the logging method used in ISA from a MSDE database to a text file or a separate SQL database. WebSpy recommends that the logging format should be changed to plain text logs due to the increased performance and ease of use when importing data. It is important to note that changing the logging format will result in the loss of ISA's onboard reporting (which relies on the MSDE database), but WebSpy's reporting should more than compensate for this change.
For more information see: Top 10 Advantages of WebSpy's Reporting over ISA Server's Reporting

Before making any configuration changes, it is a good idea to check what your current logging method is set to.
Note: ISA may not be logging to MSDE if the ISA Server was upgraded from ISA 2000.

Checking your ISA server's logging method

The ISA Server creates two types of log files; firewall logs and web proxy logs. Each type of log has its own configuration options.

To check your ISA Server's current logging methods:

  1. Log in to your ISA Server with administrator privileges.
  2. Select Start | Programs | ISA Server Management to launch the ISA Server Management console.
  3. Select Monitoring on the left hand side of the console.
  4. Select the Logging tab in the middle of the console.
  5. Select the Tasks tab to the right of the console.
  6. Click the 'Configure Firewall Logging' link, or the 'Configure Proxy Logging' link under 'Logging Tasks' to launch the respective Logging Properties for the ISA Firewall or the ISA Proxy.

There are a number of logging types that you could alter your current settings to support:

Vantage Analyzer Live
MSDE Importing MSDE
into Vantage		 Importing MSDE
into Analyzer		 N/A

Live does not support MSDE log formats
SQL Importing SQL
into Vantage		 Importing SQL
into Analyzer		 N/A

Live does not support
SQL log formats
Plain Text Importing text files
into Vantage		 Importing text files
into Analyzer		 Importing text files
into Live

Note: WebSpy recommends the use of plain text logs for optimal performance

Importing without changing the logging method

If you do not want to change your logging method, because the internal MSDE database is being used by ISA for it's own reporting mechanisms, you can create a copy of the information in plain text format:

  1. Run the MSDEToText.vbs script to convert the MSDE logs into a text file, then import that text file into your WebSpy application. This allows you to keep the MSDE logging, but also extract the information into a format that WebSpy applications can import. This script is available from Microsoft for ISA 2004, and a slightly modified version is available from WebSpy for ISA 2006.
  2. 'Detatch' the MSDE database from your ISA server and copy it to another SQL or MSDE server that our WebSpy applications can access. A helpful article published by Microsoft, that explains how to do this can be found here.
  3. Run the WebSpy application on your ISA server.
    WARNING: If you choose this option, please be aware that WebSpy applications are memory intensive and running them on your organization's mission-critical web proxy and firewall is not recommended. If you do chose this option, schedule reports to run at off-peak times.
  4. Configure ISA's MSDE database and ISA's Firewall to allow incoming connections from the machine and user running the WebSpy application. For information on how to do this, see ISA MSDE Logging

Logging Usernames with ISA

When reporting or analyzing ISA log file information, the same user may appear in a variety of ways. Aliases are generally used to group all these instances under a meaningful name however ISA server logs occasionally require some additional modifications.
View more information on logging usernames with ISA

All Rights Reserved. No part of this document may be photocopied, reproduced, stored in a retrieval system, or transmitted, in any form or by any means, whether electronic, mechanical, or otherwise, without the prior written permission of WebSpy Ltd.

No warranty of accuracy is given concerning the contents of the information contained in this publication. To the extent permitted by law no liability (including liability to any person by reason of negligence) will be accepted by WebSpy Ltd, its subsidiaries or employees for any direct or indirect loss or damage caused by omissions from or inaccuracies in this document.

WebSpy Ltd. reserves the right to change details in this publication without notice.

Other product and company names herein may be the trademarks of their respective owners.

ISA ; isa ; MSDE ; change logging ; plain text file ; SQL ; import logs ; ISA Server ; Server ; MS ISA ; Data Engine ; isa 2004 ; isa 2000; isa 2006 ; username logging

< Return to search