Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Urgent: ISA 2004 Logging
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Urgent: ISA 2004 Logging - 24.Sep.2007 6:40:05 AM
|
|
|
filipe
Posts: 26
Joined: 19.Sep.2006
Status: offline
|
Hi,
My ISA2004 started to send me a configured alert every 10 seconds by email. The alert is as following:
ISA Server alert: An unknown SMTP command was used.
ISA Server name: AISA02
Новые правила
I think someone is sending me these malformed SMTP commands to flood my Email server. I want to stop connections from the server who is doing this in the border firewall. How can i find the server IP that is sending me those commands? The ISA reports dont show nothing. How can i read and see the ISA 2004 logs? I have the logs in .mdf format. I must read it in SQL Server???
TIA,
Clemente
Portugal
|
|
|
|
|
RE: Urgent: ISA 2004 Logging - 27.Sep.2007 5:50:18 PM
|
|
|
filipe
Posts: 26
Joined: 19.Sep.2006
Status: offline
|
Hi Tom,
Thanks for your answer.
I cant find this information in the ISA Server Log files. I cant find the log information that are generated by the ISA applications filter. I just receive this information from the alerts. Where can i find this information in the logs? In the ISA firewall logs it just register the rules, if it fails or if not, .....
What is the best way to read ISA log files. I started today using logparser tool. Do u have any templates for this tool or sample queries?
Until this moment i wasnt able to identify the server IP thats is sending me these commands....
Tia,
Clemente
Portugal
|
|
|
|
|
RE: Urgent: ISA 2004 Logging - 28.Sep.2007 8:27:47 AM
|
|
|
tshinder
Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
|
You can filter for the SMTP protocol and then match up the time in the Alerts with the time in the Log files. Make sure to enable the fields and columns you want to see.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Urgent: ISA 2004 Logging - 28.Sep.2007 12:14:21 PM
|
|
|
filipe
Posts: 26
Joined: 19.Sep.2006
Status: offline
|
Hi Tom,
I tried but i have a lof of SMTP traffic and a lot of SMTP Server connecting every minute and i cant find which is sending this command because the smtp application filter doesnt register any failure in the log file. How can i configure the apllication filter so it register on the logs this failure?
When the connection is dropped because of this filter how can i identify it on the ISA firewall logs?
TIA,
Clemente
Portugal
|
|
|
|
|
RE: Urgent: ISA 2004 Logging - 1.Oct.2007 7:50:03 AM
|
|
|
filipe
Posts: 26
Joined: 19.Sep.2006
Status: offline
|
Hi again Tom,
Im filtering it using my Inbound SMTP server rule and i cant find the error. I have all the log fields selected and i cant find this error in the logs. This is an error generated by the application filter that send it to me via an alert.
Can u tell me please what ISA logs are u referring to, so i can check if im not doing something wrong?
TIA,
Clemente
Portugal
|
|
|
|
|
RE: Urgent: ISA 2004 Logging - 2.Oct.2007 8:14:55 AM
|
|
|
filipe
Posts: 26
Joined: 19.Sep.2006
Status: offline
|
Hi,
The info i see in the ISA Firewall logs is the rules name, if it is denied or if it is accepted or if it is Unidentified IP Traffic. I see this on the rule field and application protocol. I cant find any other field in the logs that can help me in this case of the error on the application filter.
TIA,
Clemente
Portugal
|
|
|
|
|
RE: Urgent: ISA 2004 Logging - 3.Oct.2007 10:36:04 AM
|
|
|
filipe
Posts: 26
Joined: 19.Sep.2006
Status: offline
|
Hi Tom,
I started monitoring all the connections in the ISA Management Console i right click and add two fields: Error Information and Filter Information.
I can see some SMTP denied connections but the filter information field that i have added just display a "-". The only application filter that displays some information in that field is the HTTP application filter.
I keep receiving those alert messages from the ISA 2004 SMTP application filter by email every 30 seconds and i cant see that information appearing in thesse two fields i added while monitoring real-time with the management console.
How can i configure the SMTP application filter so it fills the "Filter Information" column while monitoring real-time?
TIA,
Clemente
Portugal
|
|
|
|
|
RE: Urgent: ISA 2004 Logging - 4.Oct.2007 9:21:42 AM
|
|
|
filipe
Posts: 26
Joined: 19.Sep.2006
Status: offline
|
Hi Tom,
Yes it is registered in the event viewer. The problem is that the IP address generating those SMTP malformed commands isnt registered in the event viewer. Is there any way to configure the fields for the SMTP application filter i want to appear in the event viewer ?
These commands continue to reach me for more than a week and i cant identify its source...
TIA,
Clemente
Portugal
|
|
|
|
|
RE: Urgent: ISA 2004 Logging - 6.Oct.2007 7:24:28 PM
|
|
|
filipe
Posts: 26
Joined: 19.Sep.2006
Status: offline
|
Hi Tom,
Its impossible. I have so much traffic in the log files , so many SMTP servers that is very, very difficult. I think this is very bad for ISA not having the SMTP application filter registering the IP address that is causing the errors...
Can i activate network monitor in the ISA interface for some seconds? Are there any problems for the ISA Service or for the ISA performance having netmon running so i can collect some packets to see if its easier to find the bad host?
TIA,
Clemente
Portugal
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
