RE: Log entries on web-published IIS server
- From: "Mark Hippenstiel" <M.Hippenstiel@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 4 Dec 2003 21:16:47 +0100
Thanks Tom & Jim and everybody else for their input.
I think we're going to combine the logs by means of an sql query to see
who's been active within a certain resource at a given time.
Tom, the idea is to benefit from the comprehensive (and app specific)
log on IIS, while at the same time being able to record the originating
ip address. ISA logs only details the traffic, but gives very little
information about what happens at a higher level (though this could be
reconstructed with some parsing).
Mark
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
> Posted At: Thursday, December 04, 2003 12:08 PM
> Posted To: www.isaserver.org
> Conversation: [isalist] RE: Log entries on web-published IIS server
> Subject: [isalist] RE: Log entries on web-published IIS server
>
>
> http://www.ISAserver.org
>
> Hi Mark,
>
> Why not just analyze the log file on the ISA firewall? Webspy has been
> working pretty good for me.
>
> HTH,
> Tom
>
> Thomas W Shinder
> www.isaserver.org/shinder
> ISA Server 2004 Beta - Coming Soon
> ISA Server and Beyond: http://tinyurl.com/1jq1
> Configuring ISA Server: http://tinyurl.com/1llp
>
>
>
>
> -----Original Message-----
> From: Mark Hippenstiel [mailto:M.Hippenstiel@xxxxxxxxxxxx]
> Sent: Thursday, December 04, 2003 3:03 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Log entries on web-published IIS server
>
>
> http://www.ISAserver.org
>
> Sure, but with heavy use it can be a pain to correlate those two log
> files. In this case there's an app that logs it's activities
> (well quite
> like a message board where ip logging is enabled), so in fact
> you had a
> very comprehensive log file if the ip address would be of any use.
>
> Switching over to server publishing would not only impose technical
> difficulties (e.g. no link translation or destination sets), it would
> also move a possible defense point one level deeper into the network.
>
> I hoped there was something I had been missing, like the "use original
> ip address" option box :P
>
>
> What would be your preferred solution to make log analysis easier?
> Especially for this kind of scenario?
>
>
>
> Thanks again.
> Mark
>
>
> > -----Original Message-----
> > From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
> > Posted At: Thursday, December 04, 2003 5:27 AM
> > Posted To: www.isaserver.org
> > Conversation: [isalist] RE: Log entries on web-published IIS server
> > Subject: [isalist] RE: Log entries on web-published IIS server
> >
> >
> > http://www.ISAserver.org
> >
> > Correct; and you get the benefit of the impervous web proxy
> > service as well...
> >
> > Jim Harrison
> > MCP(NT4, W2K), A+, Network+, PCG
> > http://isaserver.org/Jim_Harrison/
> > http://isatools.org
> > Read the help / books / articles!
> >
> >
> > On Wed, 3 Dec 2003 20:08:24 -0700
> > "Peter Pape" <papexpjboi@xxxxxxx> wrote:
> > http://www.ISAserver.org
> >
> > NachrichtThe Web Proxy Log on the ISA Server will show the IP
> > address of the 'stroller?' I think?
> > ----- Original Message -----
> > From: Mark Hippenstiel
> > To: [ISAserver.org Discussion List]
> > Sent: Wednesday, December 03, 2003 3:25 PM
> > Subject: [isalist] RE: Log entries on web-published IIS server
> >
> >
> > http://www.ISAserver.org
> >
> > ok, let me extend this a bit further. If I wanted to see
> > who's strolling along what would I need to do?
> > -----Original Message-----
> > From: Steve Moffat [mailto:steve@xxxxxxxxxxxxxxxxxxxxxxxxxx]
> > Posted At: Wednesday, December 03, 2003 11:22 PM
> > Posted To: www.isaserver.org
> > Conversation: [isalist] Log entries on web-published IIS server
> > Subject: [isalist] RE: Log entries on web-published IIS server
> >
> >
> > http://www.ISAserver.org
> >
> > quick answer....yes
> >
> >
> >
> > --------------------------------------------------------------
> > --------------
> > From: Mark Hippenstiel [mailto:M.Hippenstiel@xxxxxxxxxxxx]
> > Sent: Wednesday, December 03, 2003 5:13 PM
> > To: Isa Weblist
> > Subject: [isalist] Log entries on web-published IIS server
> >
> >
> > http://www.ISAserver.org
> >
> > Just a quick question:
> >
> > Is it correct that a web-published IIS will only record
> > the ip address of isa server in its logs?
> >
> > Thanks
> > Mark
> >
> > ------------------------------------------------------
> > List Archives:
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter:
> > http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ:
> > http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > Leading Network Software Directory: http://www.serverfiles.com
> > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > Windows Security Resource Site: http://www.windowsecurity.com/
> > Network Security Library: http://www.secinf.net/
> > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org
> > Discussion List as: steve@xxxxxxxxxxxxxxxxxxxxxxxxxx
> > To unsubscribe send a blank email to
> > $subst('Email.Unsub')
> > ------------------------------------------------------
> > List Archives:
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter:
> > http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ:
> > http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > Leading Network Software Directory: http://www.serverfiles.com
> > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > Windows Security Resource Site: http://www.windowsecurity.com/
> > Network Security Library: http://www.secinf.net/
> > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org
> > Discussion List as: isaserver@xxxxxxxxxxxx
> > To unsubscribe send a blank email to
> > $subst('Email.Unsub')
> >
> >
> > --------------------------------------------------------------
> > --------------
> > This E-Mail is confidential. It is not intended to be
> > read, copied, disclosed or used by any person other than the
> > recipient named above.
> >
> >
> > Unauthorised use, disclosure, or copying is strictly
> > prohibited and may be unlawful. Optimum IT Solutions
> > disclaims any liability for any action taken in connection of
> > this E-Mail. The comments or statements expressed in this
> > E-Mail are not necessarily those of Optimum IT Solutions or
> > its subsidiaries or affiliates.
> >
> > administrator@xxxxxxxxxxxxxxxxxxxxxxxxxx
> >
> >
> > --------------------------------------------------------------
> > --------------
> >
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > Leading Network Software Directory: http://www.serverfiles.com
> > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > Windows Security Resource Site: http://www.windowsecurity.com/
> > Network Security Library: http://www.secinf.net/
> > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org
> > Discussion List as: papexpjboi@xxxxxxx
> > To unsubscribe send a blank email to
> > $subst('Email.Unsub')
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > Leading Network Software Directory: http://www.serverfiles.com
> > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > Windows Security Resource Site: http://www.windowsecurity.com/
> > Network Security Library: http://www.secinf.net/
> > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion
> > List as: jim@xxxxxxxxxxxx
> > To unsubscribe send a blank email to
> > $subst('Email.Unsub')
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > Leading Network Software Directory: http://www.serverfiles.com
> > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > Windows Security Resource Site: http://www.windowsecurity.com/
> > Network Security Library: http://www.secinf.net/
> > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion
> > List as: isaserver@xxxxxxxxxxxx
> > To unsubscribe send a blank email to
> > $subst('Email.Unsub')
> >
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe send a blank email to
> $subst('Email.Unsub')
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: isaserver@xxxxxxxxxxxx
> To unsubscribe send a blank email to
> $subst('Email.Unsub')
>
Other related posts:
