Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to capture logs in ISA Servers

eantonio
Path Finder
‎10-24-2011 12:57 PM

How do we capture logs/data from ISA Servers? Are there any special considerations when setting up UF installed in ISA Servers?

Tags (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

_d_
Splunk Employee
Splunk Employee
‎10-25-2011 12:02 PM

Well, I would first start with this link: http://technet.microsoft.com/en-us/library/bb838824.aspx#ActionLogValues - it contains possible ISA Server 2006 Logging Fields and Values. I wouldn't know what other people log but i would say that it depends a lot on what you're trying to achieve. I would definitely log the following: source/dest ip port and host, action, resultcode, rule, sessionid, connectionid.

- please upvote if you find this answer useful

View solution in original post

Reply
Solved! Jump to solution
Solution

_d_
Splunk Employee
Splunk Employee
‎10-25-2011 12:02 PM

Well, I would first start with this link: http://technet.microsoft.com/en-us/library/bb838824.aspx#ActionLogValues - it contains possible ISA Server 2006 Logging Fields and Values. I wouldn't know what other people log but i would say that it depends a lot on what you're trying to achieve. I would definitely log the following: source/dest ip port and host, action, resultcode, rule, sessionid, connectionid.

- please upvote if you find this answer useful

Reply
Solved! Jump to solution

_d_
Splunk Employee
Splunk Employee
‎10-25-2011 12:50 PM

Yes. Basically you'll want Splunk to monitor this file/folder continuously for new events. Enjoy it 🙂

0 Karma
Reply
Solved! Jump to solution

eantonio
Path Finder
‎10-25-2011 12:48 PM

I change the logging so it will create w3c file instead. Do I just add that folder where it saves the w3c files and Splunk will be able to index it?

0 Karma
Reply
Solved! Jump to solution

_d_
Splunk Employee
Splunk Employee
‎10-25-2011 12:23 PM

I suppose you'd need to configure your ISA server to log in text format (i think mdf, ldf and ndf are some sort of database formats). If you go here: http://msdn.microsoft.com/en-us/library/aa503236.aspx you'll see that that is an option. "Text log files in the World Wide Web Consortium (W3C) extended file format." Splunk will take in the text files and then you'll be able to query/search/report/chart.

Best.

d.

0 Karma
Reply
Solved! Jump to solution

eantonio
Path Finder
‎10-25-2011 12:12 PM

d

I checked my ISA Server and I have those fields checked for monitoring. i then ran the command "splunk add monitor c:XXXXXXX and specified the ISALog folder in my ISA Server. That folder contains mdf, ldf, ndf files. Will Splunk be able to use to those to see the actual logs? or will it just show up as mdf, ldf, ndf files when I do a search in Splunk Web UI?

0 Karma
Reply
Solved! Jump to solution

_d_
Splunk Employee
Splunk Employee
‎10-24-2011 03:44 PM

I believe if you setup a UF monitor in your \ISALogs folder you should be OK.
Check this link for more info on how to setup an input monitor:

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf

0 Karma
Reply
Solved! Jump to solution

eantonio
Path Finder
‎10-25-2011 11:45 AM

What are the common fields/logs people monitor in ISA?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...