Hi, Thanks Jason! I'm currently working on many filters one that I think has been key on my wish list is my suspected bad site data. This is for sql 2000 but could be adapted to any platform. I'm working on filters and an http filter now for ISA. This table structure will be part of my Stat@Sphere package http://www.stat-sphere.com or http://www.stat-sphere.net. You will be able to use the tool to generate a reply to the owner of the site. If we do it in a nice way I think that We will get good results on reporting sites that attack ours. The tool will also be able to generate the script to incorporate the appropriate site and content rules for blocking sites that have not responded or just to add them as suspected bad sites. if exists (select * from dbo.sysobjects where id = object_id(N'[dbo].[SuspectedSites]') and OBJECTPROPERTY(id, N'IsUserTable') = 1) drop table [dbo].[SuspectedSites] GO CREATE TABLE [dbo].[SuspectedSites] ( [SuspectID] [int] NOT NULL , [SuspectTypeID] [int] NOT NULL , [ContentID] [int] NULL , [SuspectName] [varchar] (300) COLLATE SQL_Latin1_General_CP1_CI_AS NULL , [SuspectURL] [varchar] (300) COLLATE SQL_Latin1_General_CP1_CI_AS NULL , [SuspectTextURL] [varchar] (300) COLLATE SQL_Latin1_General_CP1_CI_AS NULL , [Notes] [varchar] (4000) COLLATE SQL_Latin1_General_CP1_CI_AS NULL , [SuspectedData] [text] COLLATE SQL_Latin1_General_CP1_CI_AS NULL , [SubmitDate] [datetime] NULL , [UpdateDate] [datetime] NULL , [OwnerNotifiedYN] [bit] NOT NULL , [StatusTypeID] [int] NULL , [RecordTypeID] [int] NULL ) ON [PRIMARY] TEXTIMAGE_ON [PRIMARY] GO ALTER TABLE [dbo].[SuspectedSites] WITH NOCHECK ADD CONSTRAINT [DF_SuspectedSites_OwnerNotifiedYN] DEFAULT (0) FOR [OwnerNotifiedYN], CONSTRAINT [DF_SuspectedSites_StatusTypeID] DEFAULT (1) FOR [StatusTypeID], CONSTRAINT [DF_SuspectedSites_RecordTypeID] DEFAULT (1) FOR [RecordTypeID], CONSTRAINT [PK_SuspectedSites] PRIMARY KEY NONCLUSTERED ( [SuspectID] ) ON [PRIMARY] GO CREATE INDEX [IX_SuspectedSites_SuspectName] ON [dbo].[SuspectedSites]([SuspectName]) ON [PRIMARY] GO CREATE INDEX [IX_SuspectedSites_SuspectURL] ON [dbo].[SuspectedSites]([SuspectURL]) ON [PRIMARY] GO Joseph -----Original Message----- From: Jason Ballard [mailto:jasonb54@xxxxxxxxx] Sent: Wednesday, April 03, 2002 1:47 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA LOGS again! http://www.ISAserver.org Very good point Joseph! -----Original Message----- From: Joseph [mailto:cismic@xxxxxxx] Sent: Wednesday, April 03, 2002 4:35 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA LOGS again! http://www.ISAserver.org Hi, Another thing that should be done is to move the log files on a daily basis to your specific setup that will allow for log file process. I don't use the reporting mechanisms as supplied with ISA so I setup my ISA logs to be stored in a different location. That way once my log files are processed I can move to the processed queue for backup. The to process queue is feed into a database for analysis and filtering. At least in this way you can keep your log files constant and not have to worry about the 7 day lapse. Joseph -----Original Message----- From: Jason Ballard [mailto:jasonb54@xxxxxxxxx] Sent: Wednesday, April 03, 2002 12:53 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA LOGS again! http://www.ISAserver.org By default, ISA saves 7 log files. Inside the ISA Management console, expand Monitoring Configuration | Logs. From here you can modify how many logs should be kept for each log type (Packet Filter, Web Proxy, Firewall Service). That should take care of it. Jason -----Original Message----- From: Rafael Rodrigues [mailto:lrafael@xxxxxxxxxxxxx] Sent: Wednesday, April 03, 2002 3:46 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA LOGS again! http://www.ISAserver.org Thanks for the help guys... But and about my old logs? I just have 8 or 9 latest files. Tnks. Rafael Rodrigues. -----Mensagem original----- De: Tom Webb [mailto:twebb@xxxxxxxxxxxxxxxxxxx] Enviada em: quarta-feira, 3 de abril de 2002 16:35 Para: [ISAserver.org Discussion List] Assunto: [isalist] RE: ISA LOGS again! http://www.ISAserver.org Thanks group. Has anyone come up with any ideas concerning why the Proxy Service would just stop periodically? It will go sometimes for 5 or 6 hours, then it may shut down 5 times in the next two hours. Any suggestions will be greatly appreciated... Tom -----Original Message----- From: Jay J. Mobley [mailto:jmobley@xxxxxxxxxx] Sent: Wednesday, April 03, 2002 1:33 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA LOGS again! http://www.ISAserver.org Most logs... be it webserver logs, ftp, ISA what have you, are going to have thier time offset to log at Grenich Mean time (sp?) this is a time standard. if you apply your time zone offset. (IE pacific time = -8 ) it should be right. -Jay > -----Original Message---- > From: Tom Webb [mailto:twebb@xxxxxxxxxxxxxxxxxxx] > Sent: Wednesday, April 03, 2002 11:20 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: ISA LOGS again! > > > http://www.ISAserver.org > > > Interesting. I've noticed a time discrepancy too. Anyone know why that > is? > > -----Original Message----- > From: Rafael Rodrigues [mailto:lrafael@xxxxxxxxxxxxx] > Sent: Wednesday, April 03, 2002 1:06 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] ISA LOGS again! > > > http://www.ISAserver.org > > > > Hi everybody. > > I'm trying to find who insite my network use a free mail (like > hotmail) to send a mail to mee. If this guy use a machine inside my > ISA Server, I think > have the internal IP trying to connect hotmail. I have the > day and the time, > and if I find at my isa logs what IP enter at hotmail.com at > this day and > time... I find the man. It's correct? > But I'm trying to find the log from today in c:\program > files\microsoft > isa server\isalogs and I just find the last 8 logs. Where's > all logs? Why > the log from today have incorrect time? Now it's 16:05 and I have > connections at 20:30 (for example). ISA Server record the > time from local > machime? > > Thanks... > > Rafael Rodrigues. > > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > twebb@xxxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to > $subst('Email.Unsub') > > > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > jmobley@xxxxxxxxxx To unsubscribe send a blank email to > $subst('Email.Unsub') > ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: twebb@xxxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: lrafael@xxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jasonb54@xxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: cismic@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jasonb54@xxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: cismic@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')