Tuesday, 8 September 2009

How to Clear the Change Tracking Log in ISA Server 2006 SP1

For reasons I won’t go into, I recently wanted to clear the Change Tracking log and remove all previous entries from the list. There appeared to be no obvious way to achieve this in the GUI(probably for good reason) but I wanted to share with the community how it can be achieved anyhow…

So, below we can see our example Change Tracking log full of entries we no longer need. This can be seen by looking at the Change Tracking tab under the Monitoring node:

changetracking1

Clearing the log then involves two simple steps…

Step 1: Modify Existing Change Tracking Limit

Below is a screenshot of the default Change Tracking configuration:

changetracking 

This needs to be reconfigured as follows:

For Standard Edition

  • In the console tree of ISA Server Management, expand Microsoft Internet Security and Acceleration Server 2006, expand the <Server Name> node, and then click Monitoring.
  • Select the Change Tracking tab.
  • From the Tasks tab, click Configure Change Tracking.
  • Change the default entries limit set from 1000 (the default) to 0. If you have a value different to 1000, change this to 0 anyhow.
  • Click OK to close the Change Tracking window.
  • Click the Apply button in the details pane to save the changes and update the configuration.

For Enterprise Edition

  • In the console tree of ISA Server Management, expand Microsoft Internet Security and Acceleration Server 2006. Right click the Enterprise node and select Properties.
  • Select the Change Tracking tab.
  • Change the default entries limit set from 1000 (the default) to 0. If you have a value different to 1000, change this to 0 anyway.
  • Click OK to close the Enterprise Properties window.
  • Click the Apply button in the details pane to save the changes and update the configuration.
Please Note: If you are using Enterprise Edition, you will need ISA Server Enterprise Administrator permissions to make the above changes.

We should then have:

changetracking2

Step 2: Restore Original Change Tracking Limit

In order to restore the original Change Tracking limit, we simply reverse the procedure defined above:

For Standard Edition

  • In the console tree of ISA Server Management, expand Microsoft Internet Security and Acceleration Server 2006, expand the <Server Name> node, and then click Monitoring.
  • Select the Change Tracking tab.
  • From the Tasks tab, click Configure Change Tracking.
  • Change the default entries limit set from 0 to 1000 (the default). If you previously had a value different to 1000, restore the original value.
  • Click OK to close the Change Tracking window.
  • Click the Apply button in the details pane to save the changes and update the configuration.

For Enterprise Edition

  • In the console tree of ISA Server Management, expand Microsoft Internet Security and Acceleration Server 2006. Right click the Enterprise node and select Properties.
  • Select the Change Tracking tab.
  • Change the default entries limit set from 0 to 1000 (the default). If you previously had a value different to 1000, restore the original value.
  • Click OK to close the Enterprise Properties window.
  • Click the Apply button in the details pane to save the changes and update the configuration.

We should then be back to the default Change Tracking configuration:

changetracking

If we now look at the Change Tracking tab under the Monitoring node we should see the following:

changetracking4

So, there we go, a nice blank change tracking log in two easy steps – simple! ;)

Please Note: For Enterprise edition, the above procedure assumes Change Tracking is enabled at the ISA Server enterprise level and will consequently clear all array-level Change Tracking logs at the same time. If you have change tracking enabled at the array-level only, and want to clear a single array Change Tracking log, this can be done by applying the same concept to the array object as opposed to the entire ISA Server enterprise.

If you prefer a command line approach as opposed to the GUI, it is also possible to clear the log using scripts as detailed here:

Change Tracking - Log Management via Scripts

It is also interesting to note that the upcoming new release of ISA Server, named Threat Management Gateway (TMG), will support an improved Change Tracking feature. Part of this update will include a dedicated API with a ClearLog function. Read more here:

Change Tracking in TMG

Hope this is useful…

2 comments:

  1. The reason there's no clear log UI is not perceived security - Event Log viewer does have it.

    The reason is UI clarity. In Enterprise Edition, the viewer is combining several logs (array, enterprise, enterprise policy), and it's not clear which of those the "clear log" button would clear. We wanted to avoid expaining stuff on the UI, plus the questions of "I hit clear, why does my log still show Enteprise enteries", etc.

    We hope the TMG support for ClearLog on scripts, plus the way described here, is sufficient.

    ReplyDelete
  2. >> Jon

    Thanks for clarification.

    ReplyDelete