Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

New Warning event message that occurs in ISA Server 2004 SP3 to notify delay in logging


View products that this article applies to.

Summary

This article discusses the following new Warning event message that occurs in Microsoft Internet Security and Acceleration (ISA) Server 2004 Service Pack 3 (SP3) and in later versions:

Writing to the log took approximately %1 seconds. If this time exceeds 30 seconds, logging may fail and ISA Server may go into lockdown mode. For a workaround, see KB 919468.

↑ Back to the top


More information

ISA Server 2004 and later versions enforce the lockdown mode of operation if writing to the log files takes more than thirty seconds. ISA Server 2004 SP3 and later versions include a new event message to notify the administrator before logging fails. For more information about the ISA server lockdown mode of operation, click the following article number to view the article in the Microsoft Knowledge Base:
838711 Lockdown mode of operation in ISA Server 2006 or in ISA Server 2004
The new Warning event message is displayed if writing to the log files takes more than the time-out period. This helps administrator take preventive action before the ISA Server enforces the lockdown mode of operation.

Methods to prevent lockdown mode

Administrators can use the following methods to prevent ISA Server from enforcing the lockdown mode of operation.

Method 1

Use Disk Defragmenter to consolidate fragmented files and folders. To do this, follow these steps:
  1. Click Start, point to All Programs, point to Accessories, point to System Tools, and then click Disk Defragmenter.
  2. Click the volume where you store the log files, and then click Analyze.
  3. Click Defragment if the Disk Defragmenter suggests defragmenting the volume.
  4. Verify disk performance.
Notes
  • To avoid long commits, you must frequently defragment the disks where you store ISA log files.
  • For reliability and better performance, use RAID volumes.

Method 2

If you are using Microsoft SQL Server for logging, modify the file growth size or the file growth percentage for the SQL database.

For more information about how to modify file growth size, visit the following Microsoft Web site:You can use the following SQL script to modify the file growth size.
Use master
   	Alter database <DataBaseName>
MODIFY FILE  (<FileName> , FILEGROWTH=<GrowthIncrement>)
Note In the script example, the text that is enclosed in angle brackets (<>) incidates a placeholder. In the script example, <GrowthIncrement> is specified in megabytes (MB) or as a percentage of file size. The default value is 75 MB.

Method 3

Make sure that the firewall log directory and the Web proxy log directory are on different disks. To do this, follow these steps:
  1. In the ISA Server MMC snap-in, click Monitoring.
  2. In the Details pane, click the Logging tab.
  3. On the Tasks tab, click Configure Firewall Logging.
  4. On the Log tab, click the appropriate Log storage format, and then click Options.
  5. In the Store the log file in box, note the path of the folder where firewall logs are stored.
  6. Under Log file storage limits, make appropriate changes to reduce the log file size.
  7. Click OK, and then click Apply.
  8. On the Tasks tab, click Web Proxy Logging.
  9. On the Log tab, click the appropriate log storage format, and then click Options.
  10. Make sure that the path that you noted in step 5 is not the same path that is listed for Web proxy logging.

    Note Make sure that the Web proxy logs are stored to a different disk.
  11. Under Log file storage limits, make appropriate changes to reduce the log file size.
  12. Click OK, and then click Apply.

Method 4

Restrict the number of fields that are included in the log. To do this, follow these steps:
  1. In the ISA Server MMC snap-in, click Monitoring.
  2. In the Details pane, click the Logging tab.
  3. On the Tasks tab, click Configure Firewall Logging.
  4. On the Fields tab, select only the fields that you want, click Apply, and then click OK.
  5. Repeat step 2 through step 4 for Web Proxy Logging.

Method 5

Define rules to decrease the number of lines that are logged. To do this, follow these steps:
  1. You can define the following rules at the beginning of the firewall policy:
    • Deny probable malicious traffic to the firewall itself, and log these tries. For example, deny the following types of probable malicious traffic:
      • Telnet
      • FTP
    • Deny any other traffic to the firewall computer itself, and do not log the activity.
  2. You can define the following rules at the end of the firewall policy:
    • Deny high-load traffic that is not defined as dangerous, and do not log the activity. For example, deny the following types of high-load traffic:
      • NetBios
      • RIP
      • OSPF
      • DHCP
    • Deny any other traffic with logging enabled.
Note These rules help the ISA server log activities that are required. Additionally, these rules help administrators troubleshoot issues.

How to set the time-out period

To set the time-out period for the raising of the Warning event message, run the following Microsoft Visual Basic script. To do this, follow these steps:
  1. Start Notepad.
  2. Copy the following script into a new text file.
    Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}"
    Const SE_VPS_NAME = "FireLongLogCommitAfterThisAmountOfSeconds"
    Const SE_VPS_VALUE = 15
    
    Sub SetValue()
    
        ' Create the root obect.
        Dim root  ' The FPCLib.FPC root object
        Set root = CreateObject("FPC.Root")
    
        'Declare the other objects needed.
        Dim array       ' An FPCArray object
        Dim VendorSets  ' An FPCVendorParametersSets collection
        Dim VendorSet   ' An FPCVendorParametersSet object
    
        ' Get references to the array object
        ' and the network rules collection.
        Set array = root.GetContainingArray
        Set VendorSets = array.VendorParametersSets
    
        On Error Resume Next
        Set VendorSet = VendorSets.Item( SE_VPS_GUID )
    
        If Err.Number <> 0 Then
            Err.Clear
    
            ' Add the item
            Set VendorSet = VendorSets.Add( SE_VPS_GUID )
            CheckError
            WScript.Echo "New VendorSet added... " & VendorSet.Name
    
        Else
            WScript.Echo "Existing VendorSet found... value- " &  VendorSet.Value(SE_VPS_NAME)
        End If
    
        if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then
    
            Err.Clear
            VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE
    
            If Err.Number <> 0 Then
                CheckError
            Else
                VendorSets.Save false, true
                CheckError
    
                If Err.Number = 0 Then
                    WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"
                End If
            End If
        Else
            WScript.Echo "Done with " & SE_VPS_NAME & ", no change!"
        End If
    
    End Sub
    
    Sub CheckError()
    
        If Err.Number <> 0 Then
            WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
            Err.Clear
        End If
    
    End Sub
    
    SetValue
    
    
    Note This script uses the default value of 15 seconds. Change the SE_VPS_VALUE value that is set in the script to an appropriate value.
  3. Save the file by using the following file name:
    FireLongLogcommitAfterThisAmountOfSecontds.vbs
  4. Double-click the file that you saved in step 3 to run the script.

↑ Back to the top


Keywords: KB919468, kbinfo, kbexpertiseadvanced, kbtshoot

↑ Back to the top

Article Info
Article ID : 919468
Revision : 3
Created on : 5/25/2009
Published on : 5/25/2009
Exists online : False
Views : 479