by
Etienne Liebetrau
There are a few reasons you might want to disable logging on a specific system policy rule. Mainly this is to reduce the amount of logged information speeding up not only importing of logs but also the analysis and reporting on those logs.
You might also want to eliminate all system activity and log only pure user interactions.
A single connectivity verifier running 24x7 will generate the best part of 25 000 records per day. If you have multiple sites configured, these hits are multiplied.
System Policy Rules can therefore create a large number of log records, bloat log file size and slow reporting speeds. Keep in mind that it is all relative.
It is not possible to disable logging for system rules through the Forefront TMG Management Console GUI. If you have ever tried you would have received the following error:
The changes cannot be saved. Error: 0xc0040334 This property cannot be modified for the predefined item. The error occurred on object “the policy name” of class ‘Policy Rule’ in the scope of array .
You can however use a script to disable logging on system policy rules. (Thanks Richard Hicks)
The following scripts can all be run from the Enterprise Management Server (see Richard Hicks' article for scripts you can run directly on the arrays).
Substitute the values indicated in GREEN
This is a handy starter script since you would normally want to specify an array for making changes. This script will return the names of the arrays you need to use
Set root = CreateObject("FPC.Root") dim array For Each Array in Root.Arrays wscript.echo array Next
There are many system rules (about 60) and to turn off logging individually you need to reference them by name. Some of the names are very long. To see a list of the rules use the following script. In this case substitute the array name for one of the names enumerated earlier. Leave the quotation marks in place
Set root = CreateObject("FPC.Root") Set Array = root.Arrays.Item("**EnterYourArrayNameHere**") set Rules = Array.SystemPolicy.PolicyRules For Each Rule in Rules wscript.echo rule Next
Use the above script to retrieve all the rules. Once you have the list or rules names you can individually disable logging for that rule with the following script.
Set root = CreateObject("FPC.Root") Set Array = root.Arrays.Item("**EnterYourArrayNameHere** ") set Rules = Array.SystemPolicy.PolicyRules RuleName = "**Really long system policy rule name**"
Set Rule = Array.SystemPolicy.PolicyRules.Item(RuleName) Rule.EnableLogging = False Rule.Save
wscript.echo RuleName & " Logging disabled"
It is also possible to disable logging for all system policy rules with the following script. This script is handy to keep around to be able to turn logging back on again for all the system policy rules. To do this you would set Rule.EnableLogging = True
Set root = CreateObject("FPC.Root") Set Array = root.Arrays.Item("**EnterYourArrayNameHere**") set Rules = Array.SystemPolicy.PolicyRules For Each Rule in Rules Rule.EnableLogging = **False** Next
Once the logging has been disabled you can verify this by checking the system policy rules from the management console. Close and reopen the console to confirm this, or press F5 and check the rule again.
A point to notice is that even if logging is disabled you might still see additional hits for that traffic appearing on the TMG Reporter dashboard. This would be until all sessions are ended and the backlog of records are processed. Existing records already imported into TMG Reporter will not be removed.
Take the conservative approach for turning off logging. If traffic is not logged it does not mean it does not happen, it just means that it is not logged for analysis or reporting. Effectively you lose visibility of that associated rule’s traffic. This is also a good reason to keep the script handy for turning logging back on again for all the system rules.
I have turned off logging on the following rules:
You might also occasionally want to enable or disable logging on normal access rules. This can of course easily be done via the GUI but it is also possible to do it via a script. This is handy if want to update a whole bunch of rules without manually changing each one. You can also even go as far as creating a scheduled task to toggle logging on or off for a rule if you really want to.
The scripts for normal access rules are essentially the same. The difference is that instead of specifying
set Rules = Array.SystemPolicy.PolicyRules
You simply specify the following:
set Rules = Array.**Array**Policy.PolicyRules
If you are new to scripting and you are not sure how this all fits together, don’t worry it is relatively easy.
For more information about scripting TMG and some additional sample scripts see: https://msdn.microsoft.com/en-us/library/ff827426(v=vs.85)
This article by Richard Hicks also has great information on how to disable system policy rules with some useful screenshots too. It also contains the scripts for running directly on the arrays without having to run the script from the Enterprise Management Server (EMS): Disable logging on system policy rules in Forefront TMG 2010
Download our FREE 30-day trial, or schedule a demo and we'll show you how it works.
Fastvue TMG Reporter Voted Best Reporting Application - ISAServer.org Readers Choice
TMG Reporter 2.1 Out Now!