Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 21192 Source: MicrosoftISAServerWebProxy

The ISA Server Web filter was unable to connect to MSDE database. The MSDE Error description is: <error>.
As per Microsoft: "If your server is running Internet Security and Acceleration (ISA) Server, then at midnight ISA Server creates a new MSDE instance to store the next day's logging information for the Web and proxy traffic. If a backup is also a scheduled to begin at midnight, there is a conflict between the ISA Server MSDE instance and the backup process, and this conflict causes the server to lock down.
To exit the lockdown, restart the Microsoft Firewall service. To prevent this issue in the future, schedule the server backup to start at either 11:30 P.M. or 12:30 A.M. This ensures that there is no conflict between the ISA Server MSDE instance and the backup process". See the link to "TechNet - The server locks down reporting Event ID 21192" for additional information.
The server had a 21192 error in the event log. The ISA Server Web filter was unable to connect to MSDE database. The MSDE error description was: “Could not perform the requested operation because the minimum query memory is not available. Decrease the configured value for the “min memory per query” server configuration option. The statement has been terminated”. Then an informational event with Microsoft Firewall service being terminated gracefully was logged.
Restarting the MS Firewall service (ISA) would yield the same error. I had to restart the MSDE database (MSSQL$MSFW) and then MS Firewall for it to start.
- Error: "Timeout expired" - From a newsgroup post: "This problem can be due to a timeout connecting to the MSDE database. By default, the time out is set to 15 seconds. On large databases, if the ISA server has multiple purposes (Exchange, DC, SQL) this can become a problem as resources are not always available within the default timeout period. This timeout can be edited via the following registry value:

DatabaseQueryTimeout - RegDword

You may set this value to 300 decimal to provide a large enough timeout window to avoid this problem".

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to



Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.