Sorry - that was 2004 (URLSet), but if you change it to "Destination Set", you get the same behavior. -----Original Message----- From: Kincer, Rick [mailto:Rick_Kincer@xxxxxxxxxx] Sent: Tuesday, February 28, 2006 6:17 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Frewall Logs Growing Too Large, Can I filter? http://www.ISAserver.org Good morning Jim, Are you referring to 2000 or 2004? Thank you, ________________________________ Rick Kincer Sr. Network Analyst, MCP, MCSE, GSEC, GCIH IT Operations The Cincinnati Insurance Companies 513-603-5713 If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle. Sun Tzu, The Art of War. Confidentiality Notice: The information included in this e-mail, including any attachments, is for the sole use of the intended recipient and may contain confidential and privileged information. Any unauthorized review, use, disclosure, distribution or similar action is prohibited. If you are not the intended recipient, please contact the sender and delete all copies of the original message immediately. -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: Monday, February 06, 2006 11:52 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Frewall Logs Growing Too Large, Can I filter? http://www.ISAserver.org It's pretty simple. Since you can choose to log on a per-rule basis, you can: 1. create a URL set that contains the URLs used by this app 2. create a rule that allows this URLSet from the noisy box 3. disable logging for this rule ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: Kincer, Rick [mailto:Rick_Kincer@xxxxxxxxxx] Sent: Monday, February 06, 2006 08:38 To: [ISAserver.org Discussion List] Subject: [isalist] Re: Frewall Logs Growing Too Large, Can I filter? http://www.ISAserver.org Thanks for the response Jim, Very good point! Unfortunately, been-there-done-that..P I've mentioned that to InfoSec quite a few times but I've still been tasked to remove the items from the logs and they'll handle it with documentation, the auditors and lawyers to make it "acceptable"...Anyway, I'll leave that up to them, as long I have the e-mails requesting this work be done I'm covered. So I'll take my certs, fold them into a paper airplane and glide them off the roof...<g>. With that said...do you have any rabbits to pull from your hat to complete such a task? Thank you, ________________________________ Rick Kincer -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: Tuesday, December 13, 2005 9:39 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Frewall Logs Growing Too Large, Can I filter? http://www.ISAserver.org You're still looking at it the wrong way. If the relevant managers are interested in the log reports, then they're also interested in using them for potential firing decisions. If you have anything that modifies the log content, you've just ruined the evidentiary value of the ISA logs. What you can do is reduce log size by only logging the field data that is relevant to HR or legal actions. -------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! -------------------------------------------- -----Original Message----- From: Kincer, Rick [mailto:Rick_Kincer@xxxxxxxxxx] Sent: Tuesday, December 13, 2005 5:03 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Frewall Logs Growing Too Large, Can I filter? http://www.ISAserver.org Thanks for the reply Joseph and Thor, I have suggested switching over to SQL but the reporting software used by our ISO department needs the logs in the W3C Extended format; the software combines those logs with our content filtering software logs generating reports which are handed out to managers as they request them, so I'm stuck with all switches on and plain text logs. It wasn't too bad until they added this one application that reports externally, it's responsible for at probably close to a gig a day, that's why I was hoping to not log those transactions at all... I was thinking about trying to find a script that could go into the logs and delete those entries at the end of each day... I appreciate the help! I'm archiving these tips for when we do switch to SQL. Actually I can use this for another app I have that uses SQL generating large logs. Thanks again!! Thank you, ________________________________ Rick Kincer Sr. Network Analyst, GSEC, MCP, MCSE IT Operations The Cincinnati Insurance Companies 513-603-5713 Law #5: Eternal vigilance is the price of security. Law #9: Security isn't about risk avoidance; it's about risk management. ref: The Ten Immutable Laws of Security Administration Scott Culp, Program Manager, Microsoft Security Response Center Confidentiality Notice: The information included in this e-mail, including any attachments, is for the sole use of the intended recipient and may contain confidential and privileged information. Any unauthorized review, use, disclosure, distribution or similar action is prohibited. If you are not the intended recipient, please contact the sender and delete all copies of the original message immediately. -----Original Message----- From: JosephK [mailto:josephk@xxxxxxxxx] Sent: Saturday, December 10, 2005 5:55 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Frewall Logs Growing Too Large, Can I filter? http://www.ISAserver.org I'm dealing with terabytes of ISA logs. What you need to do when setting up a structure for logging is keep anywhere from 10 - 90 days of log information in SQL if you have the capacity. In SQL turn on "simple" by selecting properties on your db then options and select "simple" for log recovery. If you don't do that with ISA logging your transaction log file will grow very fast and it's a big job working with that anyway. Then on a daily, weekly, monthly, quarterly and yearly you can do group by's and sums on your various data that really starts cutting out the crap. You will also need to structure a pruning of FIFO for the data tables that you create on a daily basis after your data is parsed and split into appropriate tables for further analysis. OLAP, etc. Joseph -----Original Message----- From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] Sent: Friday, December 09, 2005 8:49 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Frewall Logs Growing Too Large, Can I filter? http://www.ISAserver.org You might want to look into logging to a SQL database... That way you can "prune" retained log entries to suit your needs. I choose to log my Web Proxy logs (ISA 2004) to a SQL database; however, the DB gets really big really fast (about 1gig per day for me). Part of that is because of the poor table design of the OOB .sql file, and part of it is sheer data. I have my own "custom" table that I post specific log data into every night with only the type of records I'm interested in from the day's activity so that my managers can review what their people are doing (if they want to). I then delete any records over 7 days old from the "raw" table. In this way, I keep a week's worth of rolling data in the raw logs, with daily updated records for usage. t ----- "And yet, even if one person finds his way... that means there is a Way. Even if I personally fail to reach it." Mr. Nobusuke Tagomi Top Place, Ranking Imperial Trade Mission Pacific States of America ----- Original Message ----- From: "Kincer, Rick" <Rick_Kincer@xxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Friday, December 09, 2005 7:54 AM Subject: [isalist] Frewall Logs Growing Too Large, Can I filter? > http://www.ISAserver.org > > Hello, > We are running ISA 2000 Enterprise with the newest SP, all users must > authenticate and also we are using Web Proxy and the Firewall client for > Winsock traffic from the workstations. The issue I am having is the users > have an application that must run through the FWC to get updates and send > updates, unfortunately this app goes out to the Internet so often that our > firewall log now grows way too large. > > My question: Is there a way to filter out certain things from being logged > without removing one of the checkmarks from the filter settings, thus > filtering out other entries that I need from other traffic? > > Thank you, > > Rick > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > thor@xxxxxxxxxxxxxxx > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: josephk@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: rick_kincer@xxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: rick_kincer@xxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: rick_kincer@xxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned.