Re: Frewall Logs Growing Too Large, Can I filter?
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 6 Feb 2006 08:51:48 -0800
It's pretty simple.
Since you can choose to log on a per-rule basis, you can:
1. create a URL set that contains the URLs used by this app
2. create a rule that allows this URLSet from the noisy box
3. disable logging for this rule
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
-----Original Message-----
From: Kincer, Rick [mailto:Rick_Kincer@xxxxxxxxxx]
Sent: Monday, February 06, 2006 08:38
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Frewall Logs Growing Too Large, Can I filter?
http://www.ISAserver.org
Thanks for the response Jim,
Very good point! Unfortunately, been-there-done-that..P I've mentioned that to
InfoSec quite a few times but I've still been tasked to remove the items from
the logs and they'll handle it with documentation, the auditors and lawyers to
make it "acceptable"...Anyway, I'll leave that up to them, as long I have the
e-mails requesting this work be done I'm covered. So I'll take my certs, fold
them into a paper airplane and glide them off the roof...<g>.
With that said...do you have any rabbits to pull from your hat to complete such
a task?
Thank you,
________________________________
Rick Kincer
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Tuesday, December 13, 2005 9:39 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Frewall Logs Growing Too Large, Can I filter?
http://www.ISAserver.org
You're still looking at it the wrong way.
If the relevant managers are interested in the log reports, then they're also
interested in using them for potential firing decisions.
If you have anything that modifies the log content, you've just ruined the
evidentiary value of the ISA logs.
What you can do is reduce log size by only logging the field data that is
relevant to HR or legal actions.
--------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
--------------------------------------------
-----Original Message-----
From: Kincer, Rick [mailto:Rick_Kincer@xxxxxxxxxx]
Sent: Tuesday, December 13, 2005 5:03 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Frewall Logs Growing Too Large, Can I filter?
http://www.ISAserver.org
Thanks for the reply Joseph and Thor,
I have suggested switching over to SQL but the reporting software used by our
ISO department needs the logs in the W3C Extended format; the software combines
those logs with our content filtering software logs generating reports which
are handed out to managers as they request them, so I'm stuck with all switches
on and plain text logs. It wasn't too bad until they added this one application
that reports externally, it's responsible for at probably close to a gig a day,
that's why I was hoping to not log those transactions at all...
I was thinking about trying to find a script that could go into the logs and
delete those entries at the end of each day...
I appreciate the help! I'm archiving these tips for when we do switch to SQL.
Actually I can use this for another app I have that uses SQL generating large
logs.
Thanks again!!
Thank you,
________________________________
Rick Kincer
Sr. Network Analyst, GSEC, MCP, MCSE
IT Operations
The Cincinnati Insurance Companies
513-603-5713
Law #5: Eternal vigilance is the price of security.
Law #9: Security isn't about risk avoidance; it's about risk management.
ref: The Ten Immutable Laws of Security Administration Scott Culp, Program
Manager, Microsoft Security Response Center Confidentiality Notice: The
information included in this e-mail, including any attachments, is for the sole
use of the intended recipient and may contain confidential and privileged
information. Any unauthorized review, use, disclosure, distribution or similar
action is prohibited. If you are not the intended recipient, please contact the
sender and delete all copies of the original message immediately.
-----Original Message-----
From: JosephK [mailto:josephk@xxxxxxxxx]
Sent: Saturday, December 10, 2005 5:55 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Frewall Logs Growing Too Large, Can I filter?
http://www.ISAserver.org
I'm dealing with terabytes of ISA logs. What you need to do when setting up a
structure for logging is keep anywhere from 10 - 90 days of
log information in SQL if you have the capacity. In SQL turn on
"simple"
by selecting properties on your db then options and select "simple" for log
recovery. If you don't do that with ISA logging your transaction log file will
grow very fast and it's a big job working with that anyway.
Then on a daily, weekly, monthly, quarterly and yearly you can do group by's
and sums on your various data that really starts cutting out the crap.
You will also need to structure a pruning of FIFO for the data tables that you
create on a daily basis after your data is parsed and split into appropriate
tables for further analysis. OLAP, etc.
Joseph
-----Original Message-----
From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
Sent: Friday, December 09, 2005 8:49 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Frewall Logs Growing Too Large, Can I filter?
http://www.ISAserver.org
You might want to look into logging to a SQL database...
That way you can "prune" retained log entries to suit your needs. I choose to
log my Web Proxy logs (ISA 2004) to a SQL database; however, the DB gets really
big really fast (about 1gig per day for me). Part of that is because of the
poor table design of the OOB .sql file, and part of it is sheer data.
I have my own "custom" table that I post specific log data into every night
with only the type of records I'm interested in from the day's activity so that
my managers can review what their people are doing (if they want to).
I then delete any records over 7 days old from the "raw" table. In this
way, I keep a week's worth of rolling data in the raw logs, with daily updated
records for usage.
t
-----
"And yet, even if one person finds his way... that means there is a Way. Even
if I personally fail to reach it."
Mr. Nobusuke Tagomi
Top Place, Ranking Imperial Trade Mission Pacific States of America
----- Original Message -----
From: "Kincer, Rick" <Rick_Kincer@xxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Friday, December 09, 2005 7:54 AM
Subject: [isalist] Frewall Logs Growing Too Large, Can I filter?
> http://www.ISAserver.org
>
> Hello,
> We are running ISA 2000 Enterprise with the newest SP, all users must
> authenticate and also we are using Web Proxy and the Firewall client
for
> Winsock traffic from the workstations. The issue I am having is the
users
> have an application that must run through the FWC to get updates and
send
> updates, unfortunately this app goes out to the Internet so often that
our
> firewall log now grows way too large.
>
> My question: Is there a way to filter out certain things from being
logged
> without removing one of the checkmarks from the filter settings, thus
> filtering out other entries that I need from other traffic?
>
> Thank you,
>
> Rick
>
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> thor@xxxxxxxxxxxxxxx
> To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
josephk@xxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
rick_kincer@xxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
rick_kincer@xxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
Other related posts:
