locked
Parse logs to find which user connected at what address at a given time RRS feed

  • Question

  • So, the UAG DA webmonitor is nice to see who has active tunnels and stuff, but for debugging (specifically security issues and NAT64) I need to know which user was connected from where on a given date... I had a look at the "reports" feature of TMG but could only figure out nice "stats" and no details. I presume this is logged, but how to dig it out?
    Tuesday, December 20, 2011 10:07 PM

All replies

  • Hi

     

    Powershell can save you : Get-DirectAccessUsers -ShowHistory $True -StartTime "06/05/2011 08:00:00 AM"

     

    But dont forget to register the Powershell snap-in :

    InstallUtil.exe "c:\Program Files\MicrosoftForefront Unified Access Gateway\Common\Bin\Da\Monitoring\DAUserMonitoringSnapIn.Dll"


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
    Wednesday, December 21, 2011 7:55 AM
  • Thanks both of you however, I couldn't seem to find any info on the users source IP addresses (in this case only the Teredo addresses...)?
    Wednesday, December 21, 2011 10:33 PM
  • Uhm I followed one of those to load filter definitions, but how do I get back the original filter definitions? I can't seem to figure that out...
    Wednesday, December 21, 2011 10:51 PM
  • You can adjust the filter definitions individually at any time. In the Logs & Reports section of TMG, under the Logging tab the top section lists the variables with which you are currently filtering your query. You can right-click on any of these variables and click "Edit Filter" or choose "Edit Filter" from the Logging Tasks on the right-hand side.

    By default, I believe TMG (on a UAG box) is set like this:

    Log Record Type - Equals - Firewall or Web Proxy Filter
    Log Time - Live
    Action - Not Equal - Connection Status

    Thursday, December 22, 2011 3:05 PM