Re: Frewall Logs Growing Too Large, Can I filter?

• From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Tue, 28 Feb 2006 06:32:50 -0800

Sorry - that was 2004 (URLSet), but if you change it to "Destination
Set", you get the same behavior.

-----Original Message-----
From: Kincer, Rick [mailto:Rick_Kincer@xxxxxxxxxx] 
Sent: Tuesday, February 28, 2006 6:17 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Frewall Logs Growing Too Large, Can I filter?

http://www.ISAserver.org

Good morning Jim,

Are you referring to 2000 or 2004?

Thank you,
________________________________
Rick Kincer
Sr. Network Analyst, MCP, MCSE, GSEC, GCIH
IT Operations
The Cincinnati Insurance Companies
513-603-5713 
If you know the enemy and know yourself, you need not fear the result of
a
hundred battles. 
If you know yourself but not the enemy, for every victory gained you
will
also suffer a defeat. 
If you know neither the enemy nor yourself, you will succumb in every
battle.
Sun Tzu, The Art of War.
Confidentiality Notice: The information included in this e-mail,
including
any attachments, is for the sole use of the intended recipient and may
contain confidential and privileged information. Any unauthorized
review,
use, disclosure, distribution or similar action is prohibited. If you
are
not the intended recipient, please contact the sender and delete all
copies
of the original message immediately.

-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
Sent: Monday, February 06, 2006 11:52 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Frewall Logs Growing Too Large, Can I filter?

http://www.ISAserver.org

It's pretty simple.
Since you can choose to log on a per-rule basis, you can:
1. create a URL set that contains the URLs used by this app 
2. create a rule that allows this URLSet from the noisy box
3. disable logging for this rule

-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------
 

-----Original Message-----
From: Kincer, Rick [mailto:Rick_Kincer@xxxxxxxxxx] 
Sent: Monday, February 06, 2006 08:38
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Frewall Logs Growing Too Large, Can I filter?

http://www.ISAserver.org


Thanks for the response Jim,

Very good point! Unfortunately, been-there-done-that..P I've mentioned
that
to InfoSec quite a few times but I've still been tasked to remove the
items
from the logs and they'll handle it with documentation, the auditors and
lawyers to make it "acceptable"...Anyway, I'll leave that up to them, as
long I have the e-mails requesting this work be done I'm covered. So
I'll
take my certs, fold them into a paper airplane and glide them off the
roof...<g>.

With that said...do you have any rabbits to pull from your hat to
complete
such a task?


Thank you,
________________________________
Rick Kincer 



-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Tuesday, December 13, 2005 9:39 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Frewall Logs Growing Too Large, Can I filter?

http://www.ISAserver.org

You're still looking at it the wrong way.
If the relevant managers are interested in the log reports, then they're
also interested in using them for potential firing decisions.
If you have anything that modifies the log content, you've just ruined
the
evidentiary value of the ISA logs.

What you can do is reduce log size by only logging the field data that
is
relevant to HR or legal actions.

--------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
--------------------------------------------

-----Original Message-----
From: Kincer, Rick [mailto:Rick_Kincer@xxxxxxxxxx]
Sent: Tuesday, December 13, 2005 5:03 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Frewall Logs Growing Too Large, Can I filter?

http://www.ISAserver.org

Thanks for the reply Joseph and Thor,

I have suggested switching over to SQL but the reporting software used
by
our ISO department needs the logs in the W3C Extended format; the
software
combines those logs with our content filtering software logs generating
reports which are handed out to managers as they request them, so I'm
stuck
with all switches on and plain text logs. It wasn't too bad until they
added
this one application that reports externally, it's responsible for at
probably close to a gig a day, that's why I was hoping to not log those
transactions at all...

I was thinking about trying to find a script that could go into the logs
and
delete those entries at the end of each day...

I appreciate the help! I'm archiving these tips for when we do switch to
SQL. Actually I can use this for another app I have that uses SQL
generating
large logs.

Thanks again!!


Thank you,
________________________________
Rick Kincer
Sr. Network Analyst, GSEC, MCP, MCSE
IT Operations
The Cincinnati Insurance Companies
513-603-5713
Law #5: Eternal vigilance is the price of security. 
Law #9: Security isn't about risk avoidance; it's about risk management.

ref: The Ten Immutable Laws of Security Administration Scott Culp,
Program
Manager, Microsoft Security Response Center Confidentiality Notice: The
information included in this e-mail, including any attachments, is for
the
sole use of the intended recipient and may contain confidential and
privileged information. Any unauthorized review, use, disclosure,
distribution or similar action is prohibited. If you are not the
intended
recipient, please contact the sender and delete all copies of the
original
message immediately.
-----Original Message-----
From: JosephK [mailto:josephk@xxxxxxxxx]
Sent: Saturday, December 10, 2005 5:55 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Frewall Logs Growing Too Large, Can I filter?

http://www.ISAserver.org

I'm dealing with terabytes of ISA logs.  What you need to do when
setting up
a structure for logging is keep anywhere from 10 - 90 days of
log information in SQL  if you have the capacity.  In SQL turn on
"simple"
by selecting properties on your db then options and select "simple" for
log
recovery.  If you don't do that with ISA logging your transaction log
file
will grow very fast and it's a big job working with that anyway.

Then on a daily, weekly, monthly, quarterly and yearly you can do group
by's
and sums on your various data that really starts cutting out the crap.

You will also need to structure a pruning of FIFO for the data tables
that
you create on a daily basis after your data is parsed and split into
appropriate tables for further analysis.  OLAP, etc.

Joseph

-----Original Message-----
From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
Sent: Friday, December 09, 2005 8:49 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Frewall Logs Growing Too Large, Can I filter?

http://www.ISAserver.org

You might want to look into logging to a SQL database...

That way you can "prune" retained log entries to suit your needs.  I
choose
to log my Web Proxy logs (ISA 2004) to a SQL database; however, the DB
gets
really big really fast (about 1gig per day for me).  Part of that is
because
of the poor table design of the OOB .sql file, and part of it is sheer
data.

I have my own "custom" table that I post specific log data into every
night
with only the type of records I'm interested in from the day's activity
so
that my managers can review what their people are doing (if they want
to). 
I then delete any records over 7 days old from the "raw" table.  In this

way, I keep a week's worth of rolling data in the raw logs, with daily
updated records for usage.

t


-----
"And yet, even if one person finds his way... that means there is a Way.
Even if I personally fail to reach it."

Mr. Nobusuke Tagomi
Top Place, Ranking Imperial Trade Mission Pacific States of America

----- Original Message -----
From: "Kincer, Rick" <Rick_Kincer@xxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Friday, December 09, 2005 7:54 AM
Subject: [isalist] Frewall Logs Growing Too Large, Can I filter?


> http://www.ISAserver.org
>
> Hello,
> We are running ISA 2000 Enterprise with the newest SP, all users must
> authenticate and also we are using Web Proxy and the Firewall client
for
> Winsock traffic from the workstations. The issue I am having is the
users
> have an application that must run through the FWC to get updates and
send
> updates, unfortunately this app goes out to the Internet so often that
our
> firewall log now grows way too large.
>
> My question: Is there a way to filter out certain things from being
logged
> without removing one of the checkmarks from the filter settings, thus
> filtering out other entries that I need from other traffic?
>
> Thank you,
>
> Rick
>
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:

> thor@xxxxxxxxxxxxxxx
> To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
josephk@xxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
rick_kincer@xxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
rick_kincer@xxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
rick_kincer@xxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.

Other related posts:

• » Re: Frewall Logs Growing Too Large, Can I filter?
• » Re: Frewall Logs Growing Too Large, Can I filter?
• » Re: Frewall Logs Growing Too Large, Can I filter?
• » Re: Frewall Logs Growing Too Large, Can I filter?
• » Frewall Logs Growing Too Large, Can I filter?
• » Re: Frewall Logs Growing Too Large, Can I filter?
• » Re: Frewall Logs Growing Too Large, Can I filter?
• » Re: Frewall Logs Growing Too Large, Can I filter?
• » Re: Frewall Logs Growing Too Large, Can I filter?

1. Home
2. isalist
3. Archive
4. 02-2006

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---