• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Question with File Logging (w3c)

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> Logging and Reporting >> Question with File Logging (w3c) Page: [1]
Login
Message << Older Topic   Newer Topic >>
Question with File Logging (w3c) - 3.Apr.2009 3:18:22 PM   
rmharp

 

Posts: 49
Joined: 18.May2006
Status: offline
I now have my 4 server array (2 css's, 4 Array members) using w3c file based logging and would like to be able to analyze those logs using log parser/log parser lizard or firewall analyzer. My question is this. In the 4 server array setup I have it seems that all 4 of the array members generate different logs. While this is somewhat expected on my end, I am trying to figure out the best way to be able to analyze these log files. They all generate the same file name for that day. Is this the only way to do it? I was thinking of utilizing a NAS setup I have to dump the log files on there daily but then how do I analyze 4 different log files that have the same name? Is there any way to change this?

Also if I just setup the ISA servers to log directly to a shared folder on the NAS is there concerns I should have regarding availability, etc? How will ISA work with the 4 array servers dropping logs in the same location with the same name?

Thanks,

Ryan
Post #: 1
RE: Question with File Logging (w3c) - 3.Apr.2009 6:30:21 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
As good as text logging is (I like it and recommend it a lot) it doesn't horizontally scale that well, especially when doing array level log analysis/forensics.

In this respect, it sounds like something like SQL Server logging would be more suitable; however this has different disadvantages to text logging which you would need to accept.

You can find a good overview here:

http://technet.microsoft.com/en-us/library/bb794817.aspx

I've never tried it, but I don't think you can put the logs on shared storage due to conflicts between array members.

Cheers

JJ 

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to rmharp)
Post #: 2
RE: Question with File Logging (w3c) - 8.Apr.2009 11:03:32 AM   
rmharp

 

Posts: 49
Joined: 18.May2006
Status: offline
From the sounds of that article it seems as though I could get performance almost as good as file logging or at least in between file logging and msde logging with the SQL Logging. This will give me the ability to see historical data (offline) and the live data, as well as write custom queries to the sql database as needed. It seems as though performance is limited by the size/speed of the box running SQL, and since I think I could get a pretty nice server to run it I don't know how much of a negative impact SQL will have. Do you think it's possible to use SQL 2008 on a 2008 Enterprise server?

Thanks,

Ryan

(in reply to Jason Jones)
Post #: 3

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> Logging and Reporting >> Question with File Logging (w3c) Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts