I’m often faced with the somewhat daunting task of wading through a 500MB log file to try to identify a problem with one user of a proxy server.
I find the simplest way to even the odds a bit – using out-of-the-box tools – is to use the humble FIND command to filter the logs down to just the parts I think I’m interested in.
First, copy the log file you think contains the event you’re interested in to your workstation from the ISA box – trying to do this remotely is just going to end in tears. ISA logs are kept in the Program Files\Microsoft ISA Server\ISALogs folder, called WEBext, FWSext and IPPext (with date numbers) for Web Proxy, Firewall and SecureNAT, and Packet Filtering logs respectively.
Once the log file’s copied, I kick off with a fairly general filter; usually the client IP address is a good place to start, so the command looks like this:
FIND “192.168.0.1” WEBEXTnnnn.log > BarrysIP.txt
This will sort through the web proxy log, and anytime the string specified appears on a line, the whole line will be dumped into the new BarrysIP.txt file.
If you still have too much to look through, you can then filter BarrysIP down to, say, a particular site he’s having a problem with:
FIND /I “barrysdomain.dom” BarrysIP.txt > barrysdom.txt
This time, we’re specifying a case-insensitive search with /I, and we’re redirecting the output to what’s hopefully a much smaller file, which can be pulled into Excel or Notepad and analyzed to your heart’s content…