OMG thats classic..
I too would like to know that of which he asks, oh great Tim!..
I concur with the sentiments relating to lockdown and sql logging..\
I think someone needs a hug...
------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! -------------------------------------------------------
Actually, it doesn't steam me in the least. While I can perceive the value of the lockdown feature, it adds no value to my environment-- I have no problem at all disabling it. In fact, it's been disabled since I began logging to SQL on my servers (long time now). No worries here.
The whole thing got started when I was simply trying to identify to the ISA group that when logging to SQL, ISA's lockdown mode is "trigger happy" when certain maintenance takes place on the server- that "maintenance" can be the purging of "fluff" in the WebProxyLog, performing a mass update of data in the logs, or even regular DB Maint jobs that re-index, optimize, shrink db's, etc. It's not about trimming logs, purging logs, or anything to "solve" ISA logging issues- it can be something that doesn't even involve ISA logs per se.
It was the identification that, in the real-world, "ISA Logging to SQL == Disabled Lockdown Mode" is the inevitable result in all the cases I examined. I didn't even say that was a bad thing- I'm quantifying it, not qualifying it. Like I said, I don't really care about lockdown mode. I was just pointing out that if lockdown mode was going to be considered an important feature to enterprise customers, (which I have seen it be) then the end user is going to require better, customizable options regarding the parameters used when ISA logs to SQL, or else they will be forced to disable it. You can't tout a feature as important if it will ultimately require disabling when deployed. That's all.
The only time I got close to being "steamed" was when recommendations kept coming back regarding how to fix the "fluff" issues. I've already fixed the fluff issues. I said that several times. I was asking for detailed information on the criteria ISA uses to initiate lockdown when logging to SQL, not how to address log cruft, structure tables, or when to run maintenance jobs. My goal was to gain information on how to build a robust, dependable connection that would endure "standard," every-day loads, not on how to avoid using the connection in those environments.
That's it. Done over here ;)
t
On 7/10/06 10:32 AM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> spoketh to all:
Why get steamed? Seems purdy easy to me.
Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls
-----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Monday, July 10, 2006 12:28 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: [ISAServer] Firewall database corruption due to power outtage
Nope - just a workaround that makes Tim all steamy.
------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! -------------------------------------------------------
-----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: Monday, July 10, 2006 09:20 To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: [ISAServer] Firewall database corruption due to power outtage
Then that would fix it? Right?
Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls
spoketh to all:-----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) Sent: Monday, July 10, 2006 11:15 AM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: [ISAServer] Firewall database corruption due to power outtage
Right... That's what I said... Disable lockdown.
t
On 7/10/06 8:29 AM, "Jim Harrison" <Jim@xxxxxxxxxxxx>(Hammer of
Like unto thusly:
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/dis ablelockdownonlo[mailto:isapros-bounce@xxxxxxxxxxxxx] Ongfailure.mspx
------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! -------------------------------------------------------
-----Original Message----- From: isapros-bounce@xxxxxxxxxxxxxcorruption due to powerBehalf Of Thomas W Shinder Sent: Monday, July 10, 2006 08:10 To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: [ISAServer] Firewall databaseouttage
Log Failure Alert.
Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls
-----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thorkept goingcorruption due toGod) Sent: Monday, July 10, 2006 9:24 AM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: [ISAServer] Firewall database<tshinder@xxxxxxxxxxx> spokethpower outtage
What do you mean "the alert?" What alert?
t
On 7/10/06 7:21 AM, "Thomas W Shinder"due to powerto all:
the system intoHi Tim,
But you can do that by configuring the Alert to not sendlockdown.
Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls
-----Original Message----- From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] Sent: Monday, July 10, 2006 9:16 AM To: Adar Greenshpon; ISA-MVP; Avi Sander; Nathan Bigman Subject: Re: [ISAServer] Firewall database corruptionouttage
I guess I misunderstood. The "mentioned below" itemswith why ISAback to how to remove the fluff, rather than dealingISA. Youinformationgoes into lockdown so readily. I've still not seen anyon how/when/why ISA goes into lockdown when logging toincorrect, so I washad indicated that the other information wasI'll stillWhen thestanding by for that info.
It doesn't matter if you put it in a different database.rebuilds indexes,optimization plan (you know, the "normal" plan thatinsures integrity, etc) runs, ISA goes into lockdown. Even if I waited a week in between times that I purged the data,which may lockdue to power<Adar.Greenshpon@xxxxxxxxxxxxx>have to perform some maintenance, and the system would still go into lockdown.
The solution is to disable lockdown.
Thanks!
t
On 7/10/06 12:13 AM, "Adar Greenshpon"connectivityspoketh to all:
Thor: as I've indicated below, we plan on improving thelimitation and yourissue you raised. Given the current SQL logginglog into twodeployment, might it be possible to split the webproxydatabases: one for historical purposes and one for currentevents. Theheavy-weight maintenance could be done on the former onewhile the laterone would be available for ISA to dump logs into.
-----Original Message----- From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] Sent: Monday, July 10, 2006 1:50 AM To: ISA-MVP; Avi Sander; Adar Greenshpon; Nathan Bigman Subject: Re: [ISAServer] Firewall database corruptionISA invokewas gettingouttage
Yes, Jim... Thank you. Sorry that I got so short, but Inot the *real*quite frustrated trying to make the same point over and over again.
The focus need not be on "how to trim the logs." That'sissue. The focus needs to be: "Regarding lockdown, whatfactors are inplay when ISA logs to SQL, and under what circumstances doesin SQL 2005Let's saylockdown when posting to a SQL DB?"
Let's put the padding issues *totally* out of the picture.about how muchthat I've got TB's of storage and that I could not care lessHowever, I mustfluff is in my WebProxyLog-- let it get as big as it wants.during classic dbback it up. I've also experienced ISA going into lockdownmaintenance like backing up, re-indexing, optimizing size,etc. Theseprocesses must be run regardless of the presence of"padding issues" ornot. In fact, even if the padding problem is solved in ISA2006, in combination with or exclusive of contributing options(which I'm migrating to as I type), ISA will still go into lockdown when the SQL server engages in processesas a toolconcern speaksthe db, or delay response in some way.
Again- (and hopefully someone will listen this time) theenterprise. Ifto the "real world" usability of "lockdown mode" within theMicrosoft intends to tout the lockdown feature of ISAintegrity, thenenterprise clients can use to ensure evidentiarymay not haveor it willyoumust addressreal-world processesthe mode's "survivability" during standard, everyday,that must be run on the SQL servers the ISA box is logging to,simply not be used. This relates to processes that may orthe primaryenterprise, then thisanything to do with the log files themselves.
If nobody cares if lockdown is utilized in thecustomers with athread is done. If, however, the goal is supply enterprise<Jim.Harrison@xxxxxxxxxxxxx>lockdown mode they can use, then user-defined connectionparameters mustbe provided in order to customize the lockdown threshold to our environments.
T
On 7/9/06 9:28 AM, "Jim Harrison (ISA)"alert" and "Iisn't so muchspoketh to all:
It may help in the short run, but the issue Tim raiseswait while the"how much data is being logged", but "how long ISA willlogging process fails to respond before it raises andestination (SQL,wannais some wayset this trigger point".
What he's asking for (as have more than a few customers)foralert limit thatthe user to specify a "almost choking on my own data"could be used to move ISA logging to an alternate<product deleted>more. What wefile, bitbucket) until the primary logger responds oncebit too late.have now is a "choked on my own data" alert, which is a
In fact, I've seen one unfavorable comparison towherethey actually: 1. fail over to a backup logging process 2. monitorreappears 4. importlogger 3. fail back when the primary loggerhttp://msdn.microsoft.com/library/default.asp?url=/library/en-us/tsqlrwilling tostore as athe alternate-store log data into the primarythat our alertlow-pri part of the fail-back.
Techincally, this is scriptable, except for the facthappens too late (and isn't "tweakable"). If one wereand go intodue to powera script istolerate the momentary traffic block that's created today,aworkable solution (except for the "pre-panic" factor).
Jim Harrison SASD (ISA SE) If We Can't Fix It - It Ain't Broke!
-----Original Message----- From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [mailto:sbradcpa@xxxxxxxxxxx] Sent: Sunday, July 09, 2006 2:22 AM To: isaserver@xxxxxxxxxxxxxxx Cc: Avi Sander; Adar Greenshpon; Nathan Bigman Subject: Re: [ISAServer] Firewall database corruptionouttage
Shouldn't depadding not cause the system to freak outfact he has tolockdown? That's his real point.. not necessarily thedothe process
it..but the fact that ISA is there locking itself down inspoketh to....
Thor (Hammer of God) wrote:
Never mind. Not sure why I bother...
t
On 7/9/06 12:01 AM, "Avi Sander" <asander@xxxxxxxxxxxxx>all:
Hi Thor -
Please see
my Blackhatshould be setoption. This canef/ts_set-set_2uw7.asp .
It describes how one can toggle the ANSI_PADDINGcontrol how fields are padded\trimmed in SQL, butpriordue to powertotbl creation.
- avi -----Original Message----- From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] Sent: Friday, July 07, 2006 6:23 PM To: Avi Sander; Adar Greenshpon; ISA-MVP Cc: Nathan Bigman Subject: Re: [ISAServer] Firewall database corruptionsolved* theouttage
I think we're getting off track a little here...
I appreciate the link to that "fix," but I've *alreadypadding issue. I've been including a script for that inWhen the DBthe defaulttrainingsfor years. To that effect, simply trimming the data inadministrator, Itableefficientisn't the best way to go, IMO. The data structure is not veryto"trim data"structure,begin with (for my needs). I've created my own (better designed)and trim the data as I post into that table (and there is noDSNoption that I know of). But that's OK-- as anprovide thefit my needs*expect*that I will have to adjust logging processes to better(just like I do with IIS logs that I post to SQL). You guystrim the data*retained datamechanism, and I customize it to suit me. Like I said, my yearlytodate is only 10 gig. No problems.
What I'm saying is that *when I run the process toISAwere talkinggoes into "lockdown." This whole thing got started when welogging toabout lockdown mode, and how "trigger happy" it is when one isThe paddingSQL.
I only brought it up in an effort to identify this: If a customer logs to SQL, there is a padding problem.problem *requires* DB maintenance processes to control.several thousandmaintenanceis executed against any DB of consequence (justthey want usebecause of therecordsseems to be enough), ISA goes into lockdown, presumablyparsing out"lag"created by server load when the SQL server goes aboutgigscluster (whichof fluff data. This is true even on my production SQLisThus, I waskickass, mind you ;) so it's not a "hardware" problem.forced to disable lockdown.
Therefore, IF a customer is logging to SQL, ANDfields' thatISA2006 SE,available."lockdown"THEN better user-definable timeout parameters need to beThat's all I was saying.
Of course, since you have identified that ISA2004 EE,SE. But Iandthen it allISA2006 EE properly trim data before posting it to SQL,seems to be a moot point, right? ;)
The main box posting web access is currently ISA 2004thinkalong withI've got a copy of ISA 2004 EE that I picked up in Hong Konganhappens. (jk;) I'llold Rush CD that I'll throw on that guy and see whatspoketh toletyou guys know what happens.
Thx t
On 7/7/06 12:29 AM, "Avi Sander" <asander@xxxxxxxxxxxxx>all:
there's also an option on the ODBC DSN : 'trim(unless youisaserver@xxxxxxxxxxxxxxxpartially
helps,
if i recall correctly. I'll look into this further
________________________________
From: Adar Greenshpon Sent: Fri 07/07/2006 09:07 To: Avi Sander; Thor (Hammer of God);think that'sdue to powerCc: Nathan Bigman Subject: RE: [ISAServer] Firewall database corruption
outtage
Thor,
Per the excessive padding, see this thread: http://forums.isaserver.org/m_140009200/tm.htm - IAvi pointedwhat
you're
looking for as we already heard this a few times (asexist thereout,versions). Nathan
the
problem does not exist in ISA 2004EE or ISA 2006-due to power
will an
official KB help here?
Adar.
________________________________
From: Avi Sander Sent: Friday, July 07, 2006 12:27 AM To: Thor (Hammer of God) Cc: Adar Greenshpon Subject: RE: [ISAServer] Firewall database corruptionand use oledb
outtage
OK - that explains it.
This is a known SQL ODBC interfacing issue.
ISA 2004 EE and ISA2006 SE & EE moved away from ODBC
interfaces
for SQL server logging instead. This issue does notyou with athe threadincreased).
anymore as it
is all trimmed by design (and throughput is also greatly
The 2 potential causes of errors i mentioned earlier inlogging, and not to
(buffers
full, 4 retries) are only relevant to the OLEDB
your ISA -
my bad.
let me check with the ISA2004 SE code and get back todue to power
better
picture...
-avi
________________________________
From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] Sent: Thu 06/07/2006 23:12 To: Avi Sander Subject: Re: [ISAServer] Firewall database corruptionISA2006 yet, but
outtage
These are ISA2004 SE boxes. I haven't tried withI'mrunning it here at The Yeti and can check it outSQL from ISA.measured inalreadyspoketh toknow...)
t
On 7/6/06 2:08 PM, "Avi Sander" <asander@xxxxxxxxxxxxx>due to power
all:
Hey Thor -
What ISA version are you using? and whichSKU: SE or EE?
-avi
________________________________
From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] Sent: Thu 06/07/2006 18:39 To: Adar Greenshpon; ISA-MVP; Avi Sander Subject: Re: [ISAServer] Firewall database corruptiondirect gigabit
outtage
Hi Adar-
Yes, logs going to an external SQL 2000 cluster viaonly got 120
switched
link. And log retention is permanent. Though I'velike many,
employees,
we have tight policies on Internet usage and abuse and I,honored, as well as
must keep
access logs to ensure these policies are beingtrust that
for any
number of potential legal issues that might arise. Iyou
are not
suggesting that ISA log retention via SQL should bementioned- it isdays,
right?
;)
Let me go into more detail about the "fluff" Inotis actual
so much
the "gigs of logs" as it would relate to real data- it
"fluff:"
Extra, padded spacing in the fields posted tortrim(ClientUserName),rtrim(ClientAgent),rtrim(DestHost),rtrim(DestHosClientUserName,ClientAgent,DestHost,DestHostIP,SrcNetwork,DstNetworkanalyze ofThoughis some bad
you guys
have defined the fields in SQL as nvarchar data, theresomething like SQL
mojo in
the logging process. Cursory review of the data in
Query
Analyzer may not immediately reveal this, but binarysingle row oftheI am talking
data
files do.
I've created some example text files to simplify what
about
(Attached as SQL1.txt and SQL2.txt).
Consider the following simple query to retrieve abasic
data
from the WebProxyLog as stored by ISA:
"select
fields arehere as well)
from WebProxyLog where LogID=10133541"
(SQL1.txt contains the results, but I'll paste them<begin paste> ANCHORSIGN\yomomma PGP update.pgp.com 63.251.255.18 VPN Clients External
</end paste>
Notice all the extra spacing; again, even though thetypeit up and seenvarchar-- ISA is padding the data. Now, let's trim
what
happens in this query:
"select
paste them)tIP),rt>> r
im(SrcNetwork),rtrim(DstNetwork) from WebProxyLog where
LogID=10133541"
(SQL2.txt contains the results, but again I'lla committed63.251.255.18<begin paste> ANCHORSIGN\yomomma PGP update.pgp.comtrimmed queryVPN
Clients
External </end paste>
The original query results are 934 bytes. Themultiply thatresultsfields from one
are 74
bytes. Just for this simple query, with selectedgreater due to
record, the
storage requirements for this data is 12.62 timesthe
"fluff."
Extend that out to a full logged record, and theninto my owntalking about ontimes
tens of
thousands. *THIS* is the 1-2 gigs of "fluff" I'maI take daily
*daily*
basis.
The "required maintenance" I'm talking about is where
raw data
from the WebProxyLog, trim it up, and then post itlogging whenonly 10 gig.
tables. In my
case, the _yearly_ web proxy log data for my users isgig. When
_Weekly_
"raw" data in the original ISA log format averages 12Ifront end, or
run this
process, I am able to retrieve data via SQA, Accessvia
ADODB
objects, yet ISA will go into lockdown mode whilethisyour ISA logs<Adar.Greenshpon@xxxxxxxxxxxxx>
job runs
at night. That's why I have to turn it off.
I hope that better defines the issue as I see it.
Thanksl T
-- "Tom Shinder pities Mr. T"
On 7/5/06 2:01 AM, "Adar Greenshpon"
spoketh
to all:
Hi Thor,
Just so we'll be on the same page: are you directingIf so, howto
an
external machine with SQL Server (SQL 2000 or 2005)?.dopolicy (e.g. 7
you do
the maintenance? What's your desired log retentionreducing it
days)?
Per the gigs of logs you're doing, have you considereddue to powerby
not
logging images http requests? Adar. __________________________________________ Adar Greenshpon | Program Manager | Microsoft ISA Server adarg@xxxxxxxxxxxxx <mailto:adarg@xxxxxxxxxxxxx>
<mailto:adarg@xxxxxxxxxxxxx>
| Tel: +972.4.856.1077 | SMS/Cell: +972.54.666.4579
________________________________
From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] Sent: Tuesday, July 04, 2006 8:55 PM To: Avi Sander Cc: Adar Greenshpon; ISA-MVP Subject: Re: [ISAServer] Firewall database corruptionsure that I'm
outtage
OK- the either/or situation makes more sense. I'mgetting me.not
hitting
the log buffer- the 9 second minimum window is what isyou actively
How exactly do you define a "failure to commit?" Are
looking
for a "failure" code from SQL, or is it the lack ofnever had aerror out.while to get a
transaction
within the time span? I ask because if I am in the middle of DB
maintenance, I can
execute a transaction that might have to wait a
committal, but
SQL knows about the transaction pending and won'tHUGE table
The SQL table structure included in 2004 results insizesper day, so
for web
proxy logging alone. I'm talking gigs worth of fluff
daily DB
maintenance is an absolute requirement. I havelog to SQLmachines.loggingwithout going intotransaction "live" through a maintenance period
lockdown,
hence it being disabled on all my web proxy listenerlockdown? Ifactual log
I understand that the reasoning behind "lockdown" is for
"evidentiary"
reasons, but that seems counter intuitive to me. Theiswhen the system
more
important to me than the absence of a logged eventgoing to see"fail-safe"),
locks
down. So, not only are the services not available (though a
but I
loose any log of any attempt in the meantime. Are we
some more
"user definable" setting in regard to logging andnot,I
don't
see how even mid-size businesses will be able toshouldn't betransaction was(whicheverwithout<asander@xxxxxxxxxxxxx> spoketh to
disabling
the feature.
t
On 7/4/06 5:51 AM, "Avi Sander"
all:
ISA will lockdown if either of the following occursdata into thecomes
1st):
- Four consecutive failures to commit thethis machineDB.secs. So at
Our
default COMMIT timeout is 30 secs. We'll retry every 3default on a
minimum
you've got 9 secs here. - LOG buffers are exhausted\out of memory. Bythere a lot
1GB RAM
machine we'll accumulate tens of thousands of recs. Isof
traffic
going through when this happens? How much RAM doescould reallyrecommendedhave?
What is the event description you see in the EventViewer?
The Log buffers can be extended some more, though notdue to power
since can
use up a lot of memory.
-avi
________________________________
From: Adar Greenshpon Sent: Tuesday, July 04, 2006 2:03 PM To: isaserver@xxxxxxxxxxxxxxx Cc: Avi Sander Subject: RE: [ISAServer] Firewall database corruptionretries until
outtage
Avi - wanna play logging diva? Generally speaking, there are four internal commitISAthe buffers
enters
lockdown. We have seen a few thousand log records inin
these
temporary moments in our stress labs (nothing you<mailto:thor@xxxxxxxxxxxxxxx%5d>
witness on a
normal SBS box though).
Adar. __________________________________________ Adar Greenshpon | Program Manager | Microsoft ISA Server adarg@xxxxxxxxxxxxx <mailto:adarg@xxxxxxxxxxxxx>
<mailto:adarg@xxxxxxxxxxxxx>
| Tel: +972.4.856.1077 | SMS/Cell: +972.54.666.4579
-----Original Message----- From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] <mailto:thor@xxxxxxxxxxxxxxx%5d>due to powerSent: Wednesday, June 28, 2006 8:26 PM To: ISA-MVP Subject: Re: [ISAServer] Firewall database corruptioncan tell you,
outtage
If that is what you guys are expecting to happen, Ibox, anyway.
that
*ain't* the case - not when logging to SQL on anotherseems to be more
There's
no "using as much memory as it can" going on. It
like "I
did not get an acknowledgement that the lastcorruption due toyour "loggingwritten,
and
it's been 2 seconds, so I'm going into lockdown."
I'm looking forward to what info you can get fromuser-changeable), other than<Jim.Harrison@xxxxxxxxxxxxx>
diva."
t
On 6/28/06 8:43 AM, "Jim Harrison (ISA)"spoketh to all:
Actually, it's not a fixed value (orit determines
being
self-regulating. ISA logging will use as much memory as it can untilfoul depends
that
growth is unchecked. Thus, how quickly ISA will cryit up prettyinpart on how much free memory is available.
I'll ask our logging diva for details, but this sums<mailto:thor@xxxxxxxxxxxxxxx%5d>
well.
Jim Harrison SASD (ISA SE) If We Can't Fix It - It Ain't Broke!
-----Original Message----- From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] <mailto:thor@xxxxxxxxxxxxxxx%5d>Sent: Wednesday, June 28, 2006 8:09 AM To: ISA-MVP Subject: Re: [ISAServer] Firewall databaseput ISA inpowerouttage
It must be about a 1k buffer, then. I repeatedlyseconds, getintensive"lockdownwithin seconds of maintenance jobs being run, or other "dataoperations on the DB. I would start the job, in in a fewwent aheadtime" thing-
disconnected
form my TS session because of it-- It wasn't a "oneit
was
consistent and repeatable. That's the only reason Ilockdown untilanddoes yourdisabled lockdown.
Is the buffer user definable somewhere? What exactly
script
do?
t
On 6/28/06 7:54 AM, "Jim Harrison (ISA)"
<Jim.Harrison@xxxxxxxxxxxxx>
spoketh to all:
Actually, that's not true; ISA doesn't go intothelogging buffer is filled. I agree that a "backup logging" concept is useful. I have a script that works for ISA 2000; it[mailto:thor@xxxxxxxxxxxxxxx]difficult
to
"agnosticize" it.
Jim Harrison Security Platform Group (ISA SE)
If We Can't Fix It - It Ain't Broke!
-----Original Message----- From: Thor (Hammer of God)the loggingcorruption due to<mailto:thor@xxxxxxxxxxxxxxx%5d><mailto:thor@xxxxxxxxxxxxxxx%5d>Sent: Wednesday, June 28, 2006 7:34 AM To: ISA-MVP Subject: Re: [ISAServer] Firewall databasepowerouttage
I'd like to see some way to at least "buffer"running...set a timeoutBut, I guessrequestsISA is quite
when
logging to an off-box ODBC destination, like SQL.intolerant of even the slightest interruption in logging.secondary localthat
makes
sense if the goal is to have "evidentiary credibility."
It wouldn't have to be something l337 like a
logging
option or anything like that-- I think being able towould kick thevalue
would
would. With larger db's, a maintenance jobserver
into
lockdown, even though the SQL service is stillisaserver@xxxxxxxxxxxxxxx,lockdown mode whenhaven't had alayout to you
Jim, I know you wanted me to get my infrastructure
again
for my solution to the SQL db size problems, but IRegardless, evenchance
to
find that old email. I should just re-create it ;)
with
that "solution" in place, I've had to disablelist@xxxxxxxxxxxxxxx<tshinder@xxxxxxxxxxx>logging
to
SQL for that very reason.
t
On 6/28/06 7:19 AM, "Thomas W Shinder"[mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx]
spoketh
to
all:
And it's a really good security and forensics decision.
Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls
-----Original Message----- From: Amy Babinchakbetter UPS...corruption due to<mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx%5d> <mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx%5d> Sent: Wednesday, June 28, 2006 6:28 AM To: isaserver@xxxxxxxxxxxxxxx Subject: RE: [ISAServer] Firewall databasean indicatorpower outtage
I like that ISA shuts down if it can't log. It's<mailto:sbradcpa@xxxxxxxxxxx%5d>
that
something has gone wrong.
Amy
-----Original Message----- From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [mailto:sbradcpa@xxxxxxxxxxx]due to power<mailto:sbradcpa@xxxxxxxxxxx%5d> Sent: Wednesday, June 28, 2006 12:12 AM To: isaserver@xxxxxxxxxxxxxxx Subject: [ISAServer] Firewall database corruptionUPS but like
outtage
With the caveat that we all know we need a goodgetting a
stuff
happens.. I've seen two folks recently have issuesthat ended upserver back
up have a 'dirty shutdown' due to power outtageadjustingcorrupting
the ISA firewall database.
Short of uninstalling and reinstalling... short ofISA so it won't shut down if it can't log... short of aisaserver@xxxxxxxxxxxxxxx,anylist@xxxxxxxxxxxxxxx
other
recommendations on handling this better?
--- To subscribe to the list - send an email toIn the subject line put in JOINyouremailaddress
To leave the list - send an email tolist@xxxxxxxxxxxxxxxisaserver@xxxxxxxxxxxxxxx,In the subject line put in LEAVEisaserver@xxxxxxxxxxxxxxx,list@xxxxxxxxxxxxxxxyouremailaddress
Don't forget the comma! --- To subscribe to the list - send an email toIn the subject line put in JOINyouremailaddress
To leave the list - send an email toisaserver@xxxxxxxxxxxxxxx,isaserver@xxxxxxxxxxxxxxx,In the subject line put in LEAVElist@xxxxxxxxxxxxxxxyouremailaddress
Don't forget the comma!
--- To subscribe to the list - send an email toIn the subject line put in JOINlist@xxxxxxxxxxxxxxx
youremailaddress
To leave the list - send an email toisaserver@xxxxxxxxxxxxxxx,isaserver@xxxxxxxxxxxxxxx,In the subject line put in LEAVElist@xxxxxxxxxxxxxxx
youremailaddress
Don't forget the comma!
--- To subscribe to the list - send an email toIn the subject line put in JOINlist@xxxxxxxxxxxxxxxyouremailaddress
To leave the list - send an email toisaserver@xxxxxxxxxxxxxxx,In the subject line put in LEAVEisaserver@xxxxxxxxxxxxxxx,list@xxxxxxxxxxxxxxxyouremailaddress
Don't forget the comma! --- To subscribe to the list - send an email toIn the subject line put in JOINlist@xxxxxxxxxxxxxxx
youremailaddress
To leave the list - send an email toisaserver@xxxxxxxxxxxxxxx,In the subject line put in LEAVEisaserver@xxxxxxxxxxxxxxx,list@xxxxxxxxxxxxxxx
youremailaddress
Don't forget the comma!
--- To subscribe to the list - send an email toIn the subject line put in JOINlist@xxxxxxxxxxxxxxx Inyouremailaddress
To leave the list - send an email tothe subject line put in LEAVEisaserver@xxxxxxxxxxxxxxx,list@xxxxxxxxxxxxxxxyouremailaddress
Don't forget the comma! --- To subscribe to the list - send an email toIn the subject line put in JOINisaserver@xxxxxxxxxxxxxxx,list@xxxxxxxxxxxxxxx In
youremailaddress
To leave the list - send an email tolist@xxxxxxxxxxxxxxxthe subject line put in LEAVE isaserver@xxxxxxxxxxxxxxx,
youremailaddress
Don't forget the comma!
--- To subscribe to the list - send an email toIn the subject line put in JOINisaserver@xxxxxxxxxxxxxxx,list@xxxxxxxxxxxxxxx In
youremailaddress
To leave the list - send an email tolist@xxxxxxxxxxxxxxxthe subject line put in LEAVE isaserver@xxxxxxxxxxxxxxx,
youremailaddress
Don't forget the comma!
--- To subscribe to the list - send an email toIn the subject line put in JOINlist@xxxxxxxxxxxxxxx In thelist@xxxxxxxxxxxxxxx In
youremailaddress
To leave the list - send an email tolist@xxxxxxxxxxxxxxxthe subject line put in LEAVE isaserver@xxxxxxxxxxxxxxx,
youremailaddress
Don't forget the comma!
--- To subscribe to the list - send an email tolist@xxxxxxxxxxxxxxx In theIn the subject line put in JOIN isaserver@xxxxxxxxxxxxxxx,youremailaddress
To leave the list - send an email tolist@xxxxxxxxxxxxxxxsubject line put in LEAVE isaserver@xxxxxxxxxxxxxxx,youremailaddress
Don't forget the comma!
--- To subscribe to the list - send an email tolist@xxxxxxxxxxxxxxx In theIn the subject line put in JOIN isaserver@xxxxxxxxxxxxxxx, youremailaddress
To leave the list - send an email tolist@xxxxxxxxxxxxxxxsubject line put in LEAVE isaserver@xxxxxxxxxxxxxxx, youremailaddress
Don't forget the comma! --- To subscribe to the list - send an email tolist@xxxxxxxxxxxxxxx In theIn the subject line put in JOIN isaserver@xxxxxxxxxxxxxxx,youremailaddress
To leave the list - send an email tolist@xxxxxxxxxxxxxxx Insubject line put in LEAVE isaserver@xxxxxxxxxxxxxxx,youremailaddress
Don't forget the comma!
--- To subscribe to the list - send an email tothe subject line put in JOIN isaserver@xxxxxxxxxxxxxxx, youremailaddress
To leave the list - send an email tosubject line put in LEAVE isaserver@xxxxxxxxxxxxxxx, youremailaddress
Don't forget the comma!
All mail to and from this domain is GFI-scanned.
All mail to and from this domain is GFI-scanned.
All mail to and from this domain is GFI-scanned.