The best way is to track that user down using the logs. But first you need to change over to MSDE logging. It's already installed for you so may as well use it then you can search the logs at will without having to resort to the log parser. While you have Monitoring open click on Configure Firewall Logging, select MSDE. Do the same for Web Proxy Logging. From this point forward you'll be able to search the logs right here by defining your query. Right now, it's Excel for you. Open the log file with Excel, sort by Client IP or what ever information you've got and you'll be able to locate the PC that's downloading music or movies on work time. Amy Babinchak Harbor Computer Services http://isainsbs.blogspot.com http://keepitsecure.blogspot.com http://www.harborcomputerservices.net ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jonathon J. Howey Sent: Tuesday, July 25, 2006 6:20 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Best way to track down issue from Generated Report? If your "I'll reply again" was in regards to this thread, I did not receive it then. FW Client installed: Already was SBS created (probably from ISA 2000 upgrade) a "SBS Internet Users" group which all the rules use, so unless something is broken with that, anonymous / "All Users" shouldn't be a problem... Jonathon J. Howey MENSE Inc. P 780.409.5620 F 780.409.5621 D 780.409.5628 C 780.965.8363 Jonathon@xxxxxxxx Defining the Future of Industry www.MENSE.ca <http://www.mense.ca/> ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat Sent: July 25, 2006 2:39 PM To: ISA Mailing List Subject: [isalist] Re: Best way to track down issue from Generated Report? I'll reply again. You need to install the FW client, disallow the anonymous requests, create a user group within ISA and apply the user group to your internet access rule. S From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jonathon J. Howey Sent: Tuesday, July 25, 2006 5:35 PM To: ISA Mailing List Subject: [isalist] Best way to track down issue from Generated Report? Last try ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jonathon J. Howey Sent: July 17, 2006 11:11 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Best way to track down issue from Generated Report? Hi, For a 7-day period, the report is saying that one user downloaded 11.53 GB. What's the best way to track down where this data came from, what time, etc? (ie which log, etc.)? I tried using MS Log Parser, but all the logs seem to have are wpad/wspad.dat lookups for the *.129 IP. No User Requests % of Total Requests Bytes In % of Total Bytes In Bytes Out % of Total Bytes Out Total Bytes % of Total Bytes 1 192.168.100.129 11756 1.70 % 11.53 GB 46.70 % 909.96 MB 5.90 % 12.41 GB 31.10 % Thanks. Jonathon J. Howey MENSE Inc. P 780.409.5620 F 780.409.5621 D 780.409.5628 C 780.965.8363 Jonathon@xxxxxxxx Defining the Future of Industry www.MENSE.ca <http://www.mense.ca/>