RE: ISA LOGS again!

  • From: "Joseph" <cismic@xxxxxxx>
  • To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
  • Date: Wed, 3 Apr 2002 14:33:16 -0800

Hi,
Thanks Jason!

I'm currently working on many filters one that I think has been key on
my wish list is my suspected bad site data.
This is for sql 2000 but could be adapted to any platform.  I'm working
on filters and an http filter now for ISA.
This table structure will be part of my Stat@Sphere package
http://www.stat-sphere.com or http://www.stat-sphere.net.
You will be able to use the tool to generate a reply to the owner of the
site. If we do it in a nice way I think that 
We will get good results on reporting sites that attack ours. The tool
will also be able to generate the script to incorporate the appropriate
site and content rules for blocking sites that have not responded or
just to add them as suspected bad sites.

if exists (select * from dbo.sysobjects where id =
object_id(N'[dbo].[SuspectedSites]') and OBJECTPROPERTY(id,
N'IsUserTable') = 1)
drop table [dbo].[SuspectedSites]
GO

CREATE TABLE [dbo].[SuspectedSites] (
        [SuspectID] [int] NOT NULL ,
        [SuspectTypeID] [int] NOT NULL ,
        [ContentID] [int] NULL ,
        [SuspectName] [varchar] (300) COLLATE
SQL_Latin1_General_CP1_CI_AS NULL ,
        [SuspectURL] [varchar] (300) COLLATE
SQL_Latin1_General_CP1_CI_AS NULL ,
        [SuspectTextURL] [varchar] (300) COLLATE
SQL_Latin1_General_CP1_CI_AS NULL ,
        [Notes] [varchar] (4000) COLLATE SQL_Latin1_General_CP1_CI_AS
NULL ,
        [SuspectedData] [text] COLLATE SQL_Latin1_General_CP1_CI_AS NULL
,
        [SubmitDate] [datetime] NULL ,
        [UpdateDate] [datetime] NULL ,
        [OwnerNotifiedYN] [bit] NOT NULL ,
        [StatusTypeID] [int] NULL ,
        [RecordTypeID] [int] NULL 
) ON [PRIMARY] TEXTIMAGE_ON [PRIMARY]
GO

ALTER TABLE [dbo].[SuspectedSites] WITH NOCHECK ADD 
        CONSTRAINT [DF_SuspectedSites_OwnerNotifiedYN] DEFAULT (0) FOR
[OwnerNotifiedYN],
        CONSTRAINT [DF_SuspectedSites_StatusTypeID] DEFAULT (1) FOR
[StatusTypeID],
        CONSTRAINT [DF_SuspectedSites_RecordTypeID] DEFAULT (1) FOR
[RecordTypeID],
        CONSTRAINT [PK_SuspectedSites] PRIMARY KEY  NONCLUSTERED 
        (
                [SuspectID]
        )  ON [PRIMARY] 
GO

 CREATE  INDEX [IX_SuspectedSites_SuspectName] ON
[dbo].[SuspectedSites]([SuspectName]) ON [PRIMARY]
GO

 CREATE  INDEX [IX_SuspectedSites_SuspectURL] ON
[dbo].[SuspectedSites]([SuspectURL]) ON [PRIMARY]
GO


Joseph

-----Original Message-----
From: Jason Ballard [mailto:jasonb54@xxxxxxxxx] 
Sent: Wednesday, April 03, 2002 1:47 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA LOGS again!


http://www.ISAserver.org


Very good point Joseph!

-----Original Message-----
From: Joseph [mailto:cismic@xxxxxxx] 
Sent: Wednesday, April 03, 2002 4:35 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA LOGS again!

http://www.ISAserver.org


Hi,

Another thing that should be done is to move the log files on a daily
basis to your specific setup that will allow for log file process. I
don't use the reporting mechanisms as supplied with ISA so I setup my
ISA logs to be stored in a different location.  That way once my log
files are processed I can move to the processed queue for backup.  The
to process queue is feed into a database for analysis and filtering.

At least in this way you can keep your log files constant and not have
to worry about the 7 day lapse.

Joseph

-----Original Message-----
From: Jason Ballard [mailto:jasonb54@xxxxxxxxx] 
Sent: Wednesday, April 03, 2002 12:53 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA LOGS again!


http://www.ISAserver.org


By default, ISA saves 7 log files.  Inside the ISA Management console,
expand Monitoring Configuration | Logs.  From here you can modify how
many logs should be kept for each log type (Packet Filter, Web Proxy,
Firewall Service).

That should take care of it.

Jason

-----Original Message-----
From: Rafael Rodrigues [mailto:lrafael@xxxxxxxxxxxxx] 
Sent: Wednesday, April 03, 2002 3:46 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA LOGS again!

http://www.ISAserver.org



Thanks for the help guys... But and about my old logs? I just have 8 or
9 latest files.

Tnks.

Rafael Rodrigues.

-----Mensagem original-----
De: Tom Webb [mailto:twebb@xxxxxxxxxxxxxxxxxxx] 
Enviada em: quarta-feira, 3 de abril de 2002 16:35
Para: [ISAserver.org Discussion List]
Assunto: [isalist] RE: ISA LOGS again!


http://www.ISAserver.org


Thanks group. Has anyone come up with any ideas concerning why the Proxy
Service would just stop periodically? It will go sometimes for 5 or 6
hours, then it may shut down 5 times in the next two hours. Any
suggestions will be greatly appreciated... Tom

-----Original Message-----
From: Jay J. Mobley [mailto:jmobley@xxxxxxxxxx]
Sent: Wednesday, April 03, 2002 1:33 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA LOGS again!


http://www.ISAserver.org


Most logs... be it webserver logs, ftp, ISA what have you, are going to
have thier time offset to log at Grenich Mean time (sp?) this is a time
standard. if you apply your time zone offset. (IE pacific time = -8 ) it
should be right.

-Jay

> -----Original Message----
> From: Tom Webb [mailto:twebb@xxxxxxxxxxxxxxxxxxx]
> Sent: Wednesday, April 03, 2002 11:20 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: ISA LOGS again!
>
>
> http://www.ISAserver.org
>
>
> Interesting. I've noticed a time discrepancy too. Anyone know why that

> is?
>
> -----Original Message-----
> From: Rafael Rodrigues [mailto:lrafael@xxxxxxxxxxxxx]
> Sent: Wednesday, April 03, 2002 1:06 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] ISA LOGS again!
>
>
> http://www.ISAserver.org
>
>
>
>   Hi everybody.
>
>   I'm trying to find who insite my network use a free mail (like
> hotmail) to send a mail to mee. If this guy use a machine inside my
> ISA Server, I think
> have the internal IP trying to connect hotmail. I have the
> day and the time,
> and if I find at my isa logs what IP enter at hotmail.com at
> this day and
> time... I find the man. It's correct?
>   But I'm trying to find the log from today in c:\program
> files\microsoft
> isa server\isalogs and I just find the last 8 logs. Where's
> all logs? Why
> the log from today have incorrect time? Now it's 16:05 and I have
> connections at 20:30 (for example). ISA Server record the
> time from local
> machime?
>
> Thanks...
>
> Rafael Rodrigues.
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:

> twebb@xxxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
> $subst('Email.Unsub')
>
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:

> jmobley@xxxxxxxxxx To unsubscribe send a blank email to
> $subst('Email.Unsub')
>

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
twebb@xxxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')


------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
lrafael@xxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jasonb54@xxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')


------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
cismic@xxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')


------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jasonb54@xxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')


------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
cismic@xxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')



Other related posts: