LLQ (Large Logging Queue) is a new feature in Microsoft Forefront TMG which helps reduce the number of times when TMG enters Firewall lockdown mode due to logging failures. Large Logging Queue is a local queue directory on your TMG Server which is used to save TMG log entries when TMG cannot log into the log destination – by default the SQL Server Express edition. LLQ has two main components that run in the Kernel mode from TMG (FWENG.SYS) and the User mode (Dispatcher). The process in user mode only reads data from hard disk while the Kernel mode process Fweng writes to the hard disk.
There is an explicit Log status button to see the status of Forefront TMG logging. If the connection to the local or remote Microsoft SQL Server could not be established, the Log queue begins to grow. After the connection to the local or remote SQL Server has been reestablished, the data in the Log queue will be written to the SQL Server database.
Microsoft Forefront TMG logging can be very intensive compared to the amount of data being logged. This can quickly fill up the SQL Server database and if the Forefront TMG Administrator starts the TMG real-time logging, a large amount of different data can be seen if the traffic is not filtered. To reduce the amount of logged data I often used a Garbage rule in Forefront TMG which allows the traffic for “Unnecessary” traffic like DHCP reply and requests, NetBIOS requests and others; but in the Firewall rule I disabled the logging option. You must place the rule in front of other Firewall rules. The following screenshot shows a Garbage rule.
If you click into the properties of the Garbage rule, select the Action tab and remove the flag from the “Log requests matching the rule” and from now on Forefront TMG will allow these type of traffic but it will not log these traffic.
Another way to reduce the amount of logged traffic in Forefront TMG it is possible to select which fields for the Firewall and Webproxy Logging should be logged. Depending on the requirements of the IT department or legal justice it is possible to deselect some Logging fields as you can see in the following screenshot. I marked some logging fields which might be unnecessary to include in the appropriate log fields. In your productive environment you might have to choose more or other logging fields depending on your needs.
In this article, I gave you an overview of the different logging mechanisms in Forefront TMG. I showed you the advantages and disadvantages about the logging options. We had a special look into the options how to reduce the amount of logging data with the help of a garbage rule which allows traffic but doesn’t log unnecessary traffic in Forefront TMG. I also showed you how to reduce the amount of logged data by disabling the logging of several log fields.