Troubleshoot Using Live Logging

I'm a little embarrassed that it has taken so log to introduce you to my best friend, Live Logging. We've been best friends since the day we met when I opened up the new ISA management console, there she was hiding behind the Start Query button.

Live Logging is the best troubleshooting tool we've got in ISA. Remember how difficult the logs were to read in ISA2000? Now, you can not only read them, but query them and copy them out to Excel.

Let's take a quick look.

Open up ISA Management, Click on Monitoring. At the top of the page are your Log Query Filters. To see everything you should have the following filters configured: Log Record Type = Firewall Or Web Proxy Filter. Log Time = Live. Action not equal to Connection Status. These will give you high quality output.

Next Click the Start Query link. You'll get a little message that says Fetching Results, then the log information will start flowing. It's a beautiful thing.

Once you have a few items in your list click on the Stop Query link. Here's where the fun begins.

Right click on the column name and select add/remove columns. Here you can not only add or remove columns of information to view but it will take effect immediately on that data that you've already collected! Try it. Add a column, remove a column, reorder a column. You get the manipulate what's on the screen, even for the now historical data.

Next, select a group of log items by either clicking on the top item and shift-clicking on the last one you want to select or by crtl-clicking individual log items that you want to select until you have a few. Now that they're highlighted, click the copy to clipboard link in the tasks pane on the far right. Open Excel and paste. You get little more than you bargained for as you get all possible columns of information and you also get a line of column headings. Sweet. Now you've got your ISA log selections into Excel making them easy to save and ponder over, send to someone, while you're troubleshooting ISA.

How will you use this Live Logging feature to troubleshoot ISA. Here's how I do it. Open up the ISA management console. Start the query. Have the person that can't do what ever it is, say open an SSL page, do it, while you are watching the logs. When you see the traffic generated by this attempt go by, stop the query. Then review the denied connection items for that persons name or IP address. If need be remove or add the columns of information that you need. I like to get it down to just the relevant information and get rid of the columns I don't need to see, like the empty ones. I find them distracting. Now you should be able to see what is stopping the user from getting to that SSL page. Once you have the what, you're well on your way to a solution. If you need to save this information for later, or you need to send it to someone to help you resolve the problem, then copy and paste only the relevent columns into Excel.

Once you get the hang of it, Live Logging will be your new best friend too.