It might work, but you would have to add another interface for it to capture on and then play some serious games with it to make sure it only took over that interface. I can almost guarantee you it wouldn't simplify anything, but would only make life worse. It's far easier to put it on a seperate box and get your switch ports mirrored. If you're out of switch ports then buy a good, reliable hub to get it on the same segment. During my testing I remember getting it set up and then the whole box going into promiscuous mode. Couldn't even get in via TS on a seperate interface with a seperate IP. Elron's tech support is quite good, though, and I think that was resolved. It was about that time that I transferred out of the dept, though, and thus off the project. I don't think that co-locating it would be a best practice. At the low levels that Elron works at I can just imagine all kinds of red flags. Also, best to leave it seperate as an eavesdropper and not let it take over your ISA's resources. Suck it up and spend the money for another box, it'll be worth saving the headaches. -Shawn ----- Shawn R. Quillman Robert Bosch Corporation RBNA/CSA1 38000 Hills Tech Drive Farmington Hills, MI 48331 (248) 553-1164 (P) (248) 848-6969 (F) shawn.quillman@xxxxxxxxxxxx -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Thursday, April 15, 2004 1:45 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: ISA Logs Problem http://www.ISAserver.org HI Shawn, Pretty interesting app. I wonder if it would work as an "on-box" solution? I usually don't like co-locating stuff on the ISA box, would it would simplify the deployment a bit (if it works on-box). Thanks! Tom Thomas W Shinder www.isaserver.org/shinder ISA 2004 Beta - Get it now! http://www.microsoft.com/isaserver/beta/default.asp ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: Quillman Shawn (RBNA/CSA1) [mailto:Shawn.Quillman@xxxxxxxxxxxx] Sent: Thursday, April 15, 2004 12:26 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: ISA Logs Problem http://www.ISAserver.org WebSpy is, in my opinion, the best log analyzer out there. It was quite a bit quicker than WebTrends and had a nice interface. It was between WebSpy and Elron when it came down to it for me. If it was just an every now and then thing I would have gone with WebSpy, but Elron makes it really easy to do on-demand reporting for non-tech folks like HR. There's still log importing you need to do with WebSpy (if I remember correctly) which I didn't want to have to deal with. Elron's a packet sniffer and as such is a real-time analyzer. Costs a bit more and implementation is quite a bit more involved, but with the dynamic LDAP support it now has it is quite powerful. Since it's a packet analyzer, though, you do have to have it on the same segment as whichever ISA interface you're interested in. That meant I had to have 2 Elron boxes, one for each of our proxies, since the proxies are in two different offices a few hundred miles apart. Can also mean some fun with switches, getting ports mirrored and all. It is designed with distributed environments in mind so you can have X number of capture points that log to one central database for your reports. In that scenario you'd probably want some decent bandwidth between those locations if you have a lot of web traffic getting logged. For large organizations with the resources I'd go with Elron. Smaller places, I'd go with WebSpy. -Shawn ----- Shawn R. Quillman Robert Bosch Corporation RBNA/CSA1 38000 Hills Tech Drive Farmington Hills, MI 48331 (248) 553-1164 (P) (248) 848-6969 (F) shawn.quillman@xxxxxxxxxxxx -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Thursday, April 15, 2004 1:07 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: ISA Logs Problem http://www.ISAserver.org Hi Shawn, How about WebSpy Giga? I've been using that to process large logs, and it does tax my P4-1.8 with 1 GB, but the results do finally appear. Thanks! Tom Thomas W Shinder www.isaserver.org/shinder ISA 2004 Beta - Get it now! http://www.microsoft.com/isaserver/beta/default.asp ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: Quillman Shawn (RBNA/CSA1) [mailto:Shawn.Quillman@xxxxxxxxxxxx] Sent: Thursday, April 15, 2004 12:02 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: ISA Logs Problem http://www.ISAserver.org Sweet, that's good to hear :) I like WebTrends, but my logs outgrew it. I had to throw some serious memory at the box I ran it on. My logs were getting to be > 1GB per day on each of my 2 proxies. I had to do some preparsing just to do a specific user report and couldn't do any general reporting for more than a day or two at a time. We ended up switching over to Elron's Internet Manager now that they have dynamic LDAP support and can tie into AD without having to setup import jobs for user information. We did that just before I transferred out of the IT dept, though, so I don't really know how it's working for them. Elron has the SurfControl database built into it for access restrictions and categorization (I think it's SurfControl's) and I guarantee you that that part is working... No more web mail for us! Which is, I gotta admin, as it should be :) -Shawn ----- Shawn R. Quillman Robert Bosch Corporation RBNA/CSA1 38000 Hills Tech Drive Farmington Hills, MI 48331 (248) 553-1164 (P) (248) 848-6969 (F) shawn.quillman@xxxxxxxxxxxx -----Original Message----- From: cismic [mailto:cismic@xxxxxxx] Sent: Thursday, April 15, 2004 12:38 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: ISA Logs Problem http://www.ISAserver.org It is a good script too! I used it on my linux box for testing. What do you think about WebTrends? Thank you, Joseph ----- Original Message ----- From: "Quillman Shawn (RBNA/CSA1)" <Shawn.Quillman@xxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Thursday, April 15, 2004 9:10 AM Subject: [isalist] Re: ISA Logs Problem http://www.ISAserver.org The perl script is just a log converter, not an analyzer. It will take a W3C formatted log and convert it to ISA format. I wrote it for a problem similar to this. I had a slew of W3C formatted logs and an analyzer (WebTrends Firewall Suite) that only accepted ISA formatted logs. -Shawn ----- Shawn R. Quillman Robert Bosch Corporation RBNA/CSA1 38000 Hills Tech Drive Farmington Hills, MI 48331 (248) 553-1164 (P) (248) 848-6969 (F) shawn.quillman@xxxxxxxxxxxx -----Original Message----- From: cismic [mailto:cismic@xxxxxxx] Sent: Thursday, April 15, 2004 12:06 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: ISA Logs Problem http://www.ISAserver.org Hi Ahmed, There are a number of packages out there. I've actually written my own. Although I do my queries when I get the data into my database. Microsoft has the log parser which you can use to query the data. Also, out on http://isatools.org you can find a couple of other parsers. I think that there even is a pearl script. Thank you, Joseph ----- Original Message ----- From: "Nabil, Ahmed" <anmahmou@xxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Thursday, April 15, 2004 4:04 AM Subject: [isalist] Re: ISA Logs Problem http://www.ISAserver.org Thanks for the Info. How can I change then my logs to reflect my time, the whole logs (Firewall, proxy.....etc) Also do you know any Software to read my logs instead of the ISA format, a software to filter and search for items. Thanks, Ahmed -----Original Message----- From: cismic [mailto:cismic@xxxxxxx] Sent: Thursday, April 15, 2004 11:09 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: ISA Logs Problem http://www.ISAserver.org Hi Nabil, Logs are kept in what was used to be called greenwich time. or the 24 hour clock etc. Pacific time is -8 from the green wich time. Take a look at this UTC OR GMT I think that a good site for those who would like to know is http://greenwichmeantime.com from this site you'll be able to determine what your Zulu time settings should be. For example : convlog -ie Logfile.log -t ncsa:-0800 is for the pacific time zone. The convlog also has the following syntax available: Usage: convlog [options] LogFile Options: -i<i|n|e> = input logfile type i - MS Internet Standard Log File n - NCSA Common Log File format e - W3C Extended Log File Format -t <ncsa[:GMTOffset] | none> default i -o <output directory> default = curren -x save non-www entries to a .dmp logf -d = convert IP addresses to DNS -l<0|1|2> = Date locale format for MS 0 - MM/DD/YY (default e.g. US) 1 - YY/MM/DD (e.g. Japan) 2 - DD.MM.YY (e.g. Germany) Examples: convlog -ii in*.log -d -t ncsa:+0800 convlog -in ncsa*.log -d convlog -ii jra*.log -t none ----- Original Message ----- From: "Nabil, Ahmed" <anmahmou@xxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Thursday, April 15, 2004 12:18 AM Subject: [isalist] ISA Logs Problem http://www.ISAserver.org Good morning All, I am having two problems with my ISA Logs and I need your advice. 1. There is a time shift with almost 7 hours in the logs, its not showing the correct exact time of each web request. How can I fix this issue ? 2. Its very hard to check these logs in this format, is there any well known program to import this Logs to read it in an organized way ? Thanks for your help, Ahmed ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: cismic@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: anmahmou@xxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: cismic@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: shawn.quillman@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: cismic@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: shawn.quillman@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: shawn.quillman@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: shawn.quillman@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')