• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Eventlog Dump from a server with ISA Standard 2004 SP1

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Misc.] >> ISA Server 2004 Programming >> Eventlog Dump from a server with ISA Standard 2004 SP1 Page: [1]
Login
Message << Older Topic   Newer Topic >>
Eventlog Dump from a server with ISA Standard 2004 SP1 - 5.Dec.2005 5:34:46 PM   
locholi

 

Posts: 5
Joined: 5.Dec.2005
Status: offline
Hi
I will monitor our FW's with a VBscript which will analyze the eventlogs from the ISA FW and if there are any errors or warnings I will get an informational email.
Since ServicePack1 for ISA 2004 Standard this script doesn't work anymore.
I have tried the followed steps but without success:


Problem:
--------------
I would like to use a VBscript on a machine on the internal network which connects to the ISA server and reads the event logs of the ISA server using WMI. In ISA 2004 without SP1 this worked without problems. On ISA 2004 SP1 WMI calls from other machines are blocked.
Q.I cannot use DCOM from a computer in the Remote Management Computers set to the ISA Server computer. Why not?
Answer:
------------
Config ISA:
1) Create rule that is duplicate of system policy rule #2.
2) Disable system policy rule #2.
3) Uncheck "Enforce strict RPC compliance" for custom rule #2
Reason:
In the system policy rule, there is no option to configure remote management to allow non-strict RPC traffic. All DCOM traffic between Remote Management computers to the Local Host computer will be dropped. The RPC filter cannot be configured not to enforce RPC filtering, allowing DCOM. As a workar ound, remove the computer from the Remote Management Computer set, and create an additional policy rule for the same traffic as the system policy rule. Then right-click the rule, click Configure RPC Protocol, and clear Enforce strict RPC compliance for this rule.
4) Create DCOM rule ordered before the rule you defined in step #1.
Allow - Customize Protocol: "DCOM" - Parameters: Primary Connection: 1024 - 5000 Outbound - From "Remote Management Computers" to "Local Host" AND "Local Host" to "Remote Management Computers"
5) Add your Client (Test) IP to Computer Sets " Remote Management Computer".
Addition:
---> You cannot copy a Sytem policy rule like customize Firewall Rules.

This solutions don't work.

'--- Start VBScript ---
' Reads eventlogs, filters them according to "sConfigFileName" and sends the list via e-mail.
' Events are filled into a 3-dimensional events "aEvents(ComputerName,Events,EventType)".
' EventCounters are filled into a simple array with one record per computer.
' SMTP Server must be installed on the machine where the script is executed, otherwise output is only recorded
' in file evenlist.htm in the program directory.

   Option Explicit
   Dim aEvents(),aComputerList, aCounters(), aServerList
   Dim sEventsFilter,sSender,sRecipients,sSubject,sStartDate,sText, sHTML, sSMTPserver
   Dim nMaxEntries,nMaxMessageSize,nComputers,nTotalErrors,nTotalWarnings,nTotalAudits
   Dim oFS, oOutputFile, oLogFile
   Dim nTimeZone
   Dim iLine
   Const cError=0 : Const cWarning=1 : Const cAudit=2 : Const cComputer=3
   Const sConfigFileName = "ListEvents.ini"
   Const sURL = "<a href=""99999http://www.eventid.net/display.asp?eventid=99999&source=SourceXXX"">99999</a>"
   Const bShowURL = True
   Const iLogLevel = 1
  
   SetLocale("de-ch")  ' Set locale for displaying dates in this format dd.mm.yy hh:mm:ss  
   nMaxEntries = CInt(ReadIni(sConfigFileName,"[General]","nMaxEntries"))
   nMaxMessageSize = CInt(ReadIni(sConfigFileName,"[General]","nMaxMessageSize"))
   sEventsFilter = ReadIni(sConfigFileName,"[EventsFiltered]","EventsList")
   sEventsFilter = "," & Replace(sEventsFilter," ","") & ","
   sSMTPserver = ReadIni(sConfigFileName,"[e-Mail]","SMTP-Server")
   sSender = ReadIni(sConfigFileName,"[e-Mail]","Sender")
   sRecipients = ReadIni(sConfigFileName,"[e-Mail]","RecipientsList")
   aComputerList=Split(Replace(ReadIni(sConfigFileName,"[Computers]","ComputerList")," ",""),",")
   nComputers=UBound(aComputerList)+1
   ReDim aEvents(nComputers,nMaxEntries,3),aCounters(nComputers)
   On Error Resume Next
   Set oFS = Wscript.CreateObject("Scripting.FileSystemObject")
   Set oOutputFile = oFS.CreateTextFile("ListEvents.htm", True,True)
   Set oLogFile = oFS.CreateTextFile("ListEvents.log", True)
   If Err.Number <> 0 Then
      WriteLog "Opening file resulted in error &h" & Hex(Err.Number) & Err.Description
      WScript.Quit(-1)
   End If      
   On Error Goto 0
   nTimeZone = TimeZone  'determine time zone for getting WMI format dates
   sStartDate = DateValue(Now)- ReadIni(sConfigFileName,"[General]","nDaysBack")
   WriteLog "TimeZone (hours from UTC): " & nTimeZone & " StartDate: " & sStartDate
   CreateHTMLPage()   
   Call GetEvents (aComputerList,GetWMIdate(sStartDate),aEvents,aCounters)
   Call WriteEvents (aEvents,aCounters,sText) 
   Call Output("</table>" & vbCRLF)
   Call Output("</body>" & vbCRLF)
   Call Output("</html>" & vbCRLF)
   sSubject="Eventlogs - Errors: "& nTotalErrors & "; Audits: " & nTotalAudits & "; Warnings: "& nTotalWarnings
   If sRecipients <> "" Then Call SendMail (sSender,sRecipients,sSubject,sHTML,"",sSMTPserver)
   WriteLog Now & " Done."
   WScript.Quit
'---------------------------------------------------------------------------------------------------------------------
Sub GetEvents (aComputerList,sWMIStartDate,aEvents,aCounters)
   Dim oLogFileSet,oRecord
   Dim sComputerName,sQuery
   Dim nErrors,nWarnings,nAudits
   Dim iComputer,i,iCount,iFiltered
  
   For iComputer=0 To nComputers-1
       sComputerName=aComputerList(iComputer)
       nErrors=0 : nWarnings=0 : nAudits =0 : iCount=0 : iFiltered = 0
       WriteLog Now & " connecting to computer " & sComputerName
       sQuery = "SELECT * FROM Win32_NTLogEvent WHERE type <>'information' AND type <> 'audit success' " &_
                "AND timewritten >'" & sWMIStartDate & "'" '& " AND timewritten <'" & GetWMIdate("12.03.2003 18:50:00") & "'"
       WriteLog "    Query: " & sQuery
       On Error Resume Next
       Set oLogFileSet = GetObject("winmgmts:{(Security)}\\" & sComputerName).ExecQuery(sQuery,,48)
           If Err.Number <> 0 Then
               oLogFileSet=Empty
               WriteLog "Error: " & Err.Number & " (hex:" & Hex(Err.Number) & ") " & Err.Description
               nErrors=-1
               End If
       On Error Goto 0
  
       For Each oRecord In oLogFileSet
          With oRecord
          If IsNull(.Message) Then .Message = "The description for this Event ID cannot be found"
          If InStr(1,sEventsFilter,","& Replace(.SourceName," ","")&"-"& CStr(.EventCode)&",",vbTextCompare) > 0 Then _
             .Type="skip"
          Select Case LCase(.Type)
          Case "error"
              If (nErrors < nMaxEntries) Then aEvents(iComputer,nErrors,cError) = _
              Array(.ComputerName,.Type,.LogFile,GetVBdate(.TimeGenerated),.EventCode,.SourceName,.Message)
              nErrors = nErrors + 1
          Case "warning"
              If (nWarnings < nMaxEntries) Then aEvents(iComputer,nWarnings,cWarning) = _
               Array(.ComputerName,.Type,.LogFile,GetVBdate(.TimeGenerated),.EventCode,.SourceName,.Message)
              nWarnings = nWarnings + 1   
          Case "audit failure"
              If (nAudits < nMaxEntries) Then aEvents(iComputer,nAudits,cAudit) = _
              Array (.ComputerName,.Type,.LogFile,GetVBdate(.TimeGenerated),.EventCode,.SourceName,.Message)
              nAudits = nAudits + 1
          Case Else
              iFiltered = iFiltered + 1
          End Select 
          iCount=iCount + 1
          If iCount > 2000 Then Exit For
          End With
       Next
       aCounters(iComputer)=Array(nErrors,nWarnings,nAudits,sComputerName)
       WriteLog "    " & iCount & " events found. " & iFiltered & " filtered."
   Next  
   ' Calculate totals for each event type
   nErrors=0 : nWarnings=0 : nAudits =0
   For i=0 To nComputers - 1
       nTotalErrors=nTotalErrors+aCounters(i)(cError)
       nTotalWarnings=nTotalWarnings+aCounters(i)(cWarning)
       nTotalAudits=nTotalAudits+aCounters(i)(cAudit)
   Next
End Sub
'---------------------------------------------------------------------------------------------------------------------
Sub WriteEvents(aEvents,aCounters,sText)
   Dim iComputer,i
   Call WriteHeader
  
   For iComputer=0 To nComputers-1
       Call WriteTitle (aCounters(iComputer)(cComputer), _
                        aCounters(iComputer)(cError),    _
                        aCounters(iComputer)(cWarning),  _
                        aCounters(iComputer)(cAudit))    
       i=0
       Do While IsArray (aEvents(iComputer,i,cError))
           WriteRecord aEvents(iComputer,i,cError)
           i=i+1
       Loop
  
       i=0
       Do While IsArray (aEvents(iComputer,i,cWarning))
           WriteRecord aEvents(iComputer,i,cWarning)
           i=i+1
       Loop
  
       i=0
       Do While IsArray (aEvents(iComputer,i,cAudit))
           WriteRecord aEvents(iComputer,i,cAudit)
           i=i+1
       Loop
   Next
End Sub
'---------------------------------------------------------------------------------------------------------------------
Sub WriteHeader
   Call Output("<font face=""Verdana"" size=""4""><b>Event Collection from " & DateValue(sStartDate) & " " & TimeValue(sStartDate) & " to " & Now & "</b>" & vbCRLF)   
   Call Output("<table border=""0"">")
   Call Output(" <tr>")
   Call Output("  <td width=""200"">Summary</td><td width=""150"">Total Errors:</td><td width=""150"">" & nTotalErrors & "</td>")
   Call Output(" </tr>")
   Call Output(" <tr>")
   Call Output("  <td></td><td>Total Warnings:</td><td>" & nTotalWarnings & "</td>")
   Call Output(" </tr>")
   Call Output(" <tr>")
   Call Output("  <td></td><td>Total Audits:</td><td>" & nTotalAudits & "</td>")
   Call Output(" <tr>")
   Call Output("  <td></td><td>Only the most recent</td><td>" & nMaxEntries & " events per computer and event type are shown.</td>")
   Call Output(" </tr>")
   Call Output("</table>" & vbCRLF)
   Call Output("<table border=""0"">")
End Sub
'---------------------------------------------------------------------------------------------------------------------
Sub WriteTitle (sComputerName,nErrors,nWarnings,nAudits)
   Dim sTruncated
   If nErrors > nMaxEntries Or nWarnings > nMaxEntries Or nAudits > nMaxEntries Then
          sTruncated = " --> Not all events are shown!"
      Else
          sTruncated =""
      End If
   Call Output(" <tr><td>&nbsp;</td></tr>" & vbCRLF)
   Call Output(" <tr>")
   If nErrors > -1 Then
           Call Output("  <td colspan=""9"" bgcolor=""red""><b><font color=""White"">" & sComputerName & _
           "&nbsp;-&nbsp;Errors: " & nErrors & "&nbsp;Warnings: " & nWarnings & "&nbsp;Audits: " & nAudits &_
           sTruncated & "</b></td>")
       Else
           Call Output("  <td colspan=""9"" bgcolor=""red""><b><font color=""White"">" & sComputerName & _
           "&nbsp;-&nbsp;Could not connect to computer</b></td>")
       End If
   Call Output(" </tr>")
  
   If nErrors + nWarnings + nAudits > 0 Then
      Call Output(" <tr bgcolor=""#A0A0CC"">")
      Call Output("  <td valign=""top""><font face=""Verdana"" size=""2"">Type</td>")
      Call Output("  <td valign=""top""><font face=""Verdana"" size=""2"">LogFile</td>")
      Call Output("  <td valign=""top""><font face=""Verdana"" size=""2"">Date/Time</td>")
      Call Output("  <td valign=""top""><font face=""Verdana"" size=""2"">EventID</td>")
      Call Output("  <td valign=""top""><font face=""Verdana"" size=""2"">Source</td>")
      Call Output("  <td valign=""top""><font face=""Verdana"" size=""2"">Message</td>")
      Call Output(" </tr>")
   End If
End Sub
'---------------------------------------------------------------------------------------------------------------------
Sub WriteRecord (aRecord)
   Dim sEvent, sMessage,sbg
   Dim iMessageLength
      
   If bShowURL Then
       sEvent = Replace(sURL,"99999",aRecord(4))
       sEvent = Replace(sEvent,"SourceXXX",aRecord(5))
   Else
       sEvent = aRecord(4)
   End If
   iLine = iLine + 1
   If iLine mod 2 = 1 Then sbg = "#E0E0E0" Else sbg = "#FFFFFF" End If
   sMessage = Trim(aRecord(6))
   iMessageLength = Len(sMessage)
   sMessage = Left(sMessage,nMaxMessageSize)
   If iMessageLength > nMaxMessageSize Then sMessage = sMessage & " ..."
   Call Output(" <tr bgcolor=""" & sbg & """>")
   Call Output("  <td valign=""top""><font face=""Verdana"" size=""2"">" & aRecord(1) & "</td>")    'EventType
   Call Output("  <td valign=""top""><font face=""Verdana"" size=""2"">" & aRecord(2) & "</td>")    'LogFile
   Call Output("  <td valign=""top""><font face=""Verdana"" size=""2"">" & aRecord(3) & "</td>")    'Date-Time
   Call Output("  <td valign=""top""><font face=""Verdana"" size=""2"">" & sEvent & "</td>")
   Call Output("  <td valign=""top""><font face=""Verdana"" size=""2"">" & aRecord(5) & "</td>")    'Source
   Call Output("  <td valign=""top""><font face=""Verdana"" size=""2"">" & sMessage & "</td>")
   Call Output(" </tr>")
End Sub
'---------------------------------------------------------------------------------------------------------------------
Function ReadIni (sFileName,sSection,sEntry)
   Dim oFSO, oFile, sLine, sFileEntry,bSection
  
   Set oFSO = Wscript.CreateObject("Scripting.FileSystemObject")
   Set oFile = oFSO.OpenTextFile(sFileName)
  
   bSection = False
  
   Do While Not oFile.AtEndOfStream
       sLine = oFile.ReadLine
       If InStr(sLine, "'") <> 0 Then sLine = Left(sLine, InStr(sLine, "'")-1)  'ignore comments
       sLine = Trim(Replace(sLine,vbTab," "))
       If bSection Then
          If InStr(sLine, "=") <> 0 Then sFileEntry = Trim (Left(sLine, InStr(sLine, "=")-1))
          If sFileEntry = sEntry Then
             ReadIni = Trim (Mid(sLine,InStr(sLine,"=")+1))
             Exit Function
          End If
          If InStr(sFileEntry,"[") Then bSection = False
       End If
      
       If InStr (sLine,sSection) > 0 Then bSection = True
   Loop
  
   oFile.Close
   Set oFile = Nothing
End Function
'---------------------------------------------------------------------------------------------------------------------
Sub SendMail (sFrom,sTo,sSubject,sBodyText,sAttachment,sSMTPServer)
   Dim oMessage
  
   Set oMessage = CreateObject("CDO.Message")
   If sSMTPserver <> "" Then
       oMessage.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2
       oMessage.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpserver") = sSMTPserver
       oMessage.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25
       oMessage.Configuration.Fields.Update
   End If
   If sFrom = "" Then sFrom = "Admin"
   oMessage.From = sFrom
   oMessage.To = sTo
   oMessage.Subject = sSubject
   If InStr(1,Left(sBodyText,20),"<HTML>",vbTextCompare) > 0 Then
       oMessage.HTMLBody = sBodyText
       Else
       oMessage.Textbody = sBodyText
       End If
   If sAttachment <> "" Then oMessage.AddAttachment("file://" & sAttachment)
   On Error Resume Next
   oMessage.Send
   If Err.Number <> 0 Then
      WriteLog("SendMail: Error &h" & Hex (Err.Number) & " : " & Err.Description)
      WriteLog("Attempted to send message via server '" & sSMTPserver & "'")
      Exit Sub
   End If   
   On Error Goto 0
      
End Sub
'---------------------------------------------------------------------------------------------------------------------
Private Sub Output(sText)
   oOutputFile.WriteLine sText
   sHTML = sHTML & sText & vbCRLF
End Sub
'---------------------------------------------------------------------------------------------------------------------
Private Sub CreateHTMLPage()
   Output("<html>" & vbCRLF)
   Output("<head>")
   Output("<title>Eventlog&nbsp;-&nbsp;ListEvents</title>" & vbCRLF)
   Output("</head>")
   Output("<body bgcolor=""#FFFFFF"">" & vbCRLF)
End Sub
'---------------------------------------------------------------------------------------------------------------------
Sub WriteLog (sText)
   If iLogLevel > 0 Then
      oLogFile.WriteLine sText
      If iLogLevel >1 Then WScript.Echo sText
   End If
  
End Sub
'-------------------------------------------------------------------------------------------------------------
Function GetVBdate(sWMIDate)
   GetVBdate = Mid(sWMIDate,7,2) & "." & Mid(sWMIDate,5,2) & "." & Left (sWMIDate,4) & " " &_
               Mid(sWMIDate,9,2) & ":" & Mid(sWMIDate,11,2)& ":" & Mid(sWMIDate,13,2)
'    SetLocale("de-ch")  ' Set locale for displaying dates in this format dd.mm.yy hh:mm:ss  
'    GetVBdate = DateAdd("h",nTimeZone,GetVBdate)  ' Use this line if time zone correction is needed
      
End Function
'---------------------------------------------------------------------------------------------------------------------
Function TimeZone
'Returns time difference to UTC (Universal Time Coordinated) in hours.
   Dim oWMI, oComputer
  
   Set oWMI = GetObject("winmgmts:").ExecQuery("SELECT Currenttimezone FROM Win32_ComputerSystem")
   For Each oComputer In oWMI
       TimeZone = oComputer.Currenttimezone/60
   Next
End Function
'-------------------------------------------------------------------------------------------------------------
Function GetWMIdate (dDate)
   dDate = DateAdd("n",-nTimeZone*60,dDate)
   GetWMIdate = Year(dDate) & Pad(Month(dDate),2) & Pad(Day(dDate),2) &_
                Pad(Hour(dDate),2) & Pad(Minute(dDate),2) & Pad(Second(dDate),2)& ".000000+000"
End Function
'-------------------------------------------------------------------------------------------------------------
Function Pad (sText,nWidth)
   If Len(sText) < nWidth Then
       Pad = String(nWidth - Len(sText), "0") & sText
   Else
       Pad = sText
   End If
  
End Function
'--- End VB Script---

'--- Start Ini File for VB Script config ---
'This is the configuration file for ListEvents.vbs
[General]
nMaxEntries=40  'Maximum events to collect per EventType and computer
nMaxMessageSize=250 'Maximum event message size
nDaysBack=1  'Number of days back to scan event logs. Scan begins at midnight local time.

[EventsFiltered]
'Events to be excluded from the Output must be added in the format "Source"-"EventID" Without quotes.
EventsList = NortonAntivirus-6,PrinT-61,MRxSmb-3019,MRxSmb-3034,MSExchangeSA-5008,DCOM-10006,Schannel-36871,BackupExec-57744,TermServDevices-1111,TermServDevices-1105
'6 Norton Antivirus: Scan could not access file
'61     failed to print. Normally occurs when a user cancels a print job
'3019   The redirector failed to determine the connection type
'3034   The redirector was unable to initialize security context. See http://seer.support.veritas.com/docs/238513.htm
'5008   The message tracking log file was deleted
'10006  DCOM got error.. from the computer ..when attempting to activate the server; See http://seer.support.veritas.com/docs/238513.htm
'36871  A fatal error occurred while creating an SSL server credential. See Q305088
'57744  BackupExec: Job "xxx" was canceled at the user's request.
[Computers]
'List of Servers to be scanned.
ComputerList = FW1
[e-Mail]
'Specify recipients separated by commas. If SMTP-Server is blank, the local system is used.
RecipientsList = testemail@test.com
Sender=Admin
SMTP-Server = mailserver
'--- End Ini File ---

'-- Start Readme ---
ListEvents.vbs
Gathers event logs from selected servers and sends an HTML e-mail to the administrator.
For each event there is a hyperlink to www.eventid.net, a site that has a lot of
information on the most frequent eventlog messages.
You can easily schedule this script to run every day shortly
before you come in to work.
Before you start you need to edit ListEvents.ini.
There you specify which servers you want to monitor, which is your mail server and to
whom you want send the e-mail, among other things. ListEvents.ini contains a lot of
comment, so you should easily find your way around.
ListEvents only performs well if your Eventlog size is less than 2 MB.
'--- End Readme ---

Thanks and best regards
Oli
Post #: 1
RE: Eventlog Dump from a server with ISA Standard 2004 SP1 - 7.Dec.2005 3:36:52 PM   
J.F.

 

Posts: 43
Joined: 28.Nov.2005
Status: offline
Hi Oli:

What do the event logs show on the ISA box and the machine from which you are running the script?  What do the firewall logs show on ISA related to the connection attempts, i.e., what error codes on denied connections, or are the connections allowed? 

Also, that script is scheduled to run under the context of some user account, what is it?  Is that account a recognized local Administrators group member on the ISA box?  Local, global, system account?

  JF



(in reply to locholi)
Post #: 2
RE: Eventlog Dump from a server with ISA Standard 2004 SP1 - 8.Dec.2005 8:09:00 AM   
locholi

 

Posts: 5
Joined: 5.Dec.2005
Status: offline
Hi JF
Excactly, this is my problem too.
I don't find any events in the eventlog and the FW log also doesn't show any drop packets.
I have tested a rule which will forward the whole traffic like any to any and I have checked that the System Policy will allow RPC connections to the FW but I didn't have any success.
Please try out my script and than you will see, that it doesn't work with ISA Standard 2004 SP1.
Regards
Oli

(in reply to J.F.)
Post #: 3
RE: Eventlog Dump from a server with ISA Standard 2004 SP1 - 9.Dec.2005 3:47:20 PM   
J.F.

 

Posts: 43
Joined: 28.Nov.2005
Status: offline
 
I'm sure you've done this already, but just to confirm:

Are all possible Audit Policies enabled on both the ISA and client machines, for both successful and failed actions, either through domain-based Group Policy or through the local Group Policy object?  (They don't have to be permanently enabled, just for the troubleshooting.)

The FW logs should not merely show the absence of denied or error lines, but a successful WMI-DCOM connection.  Have you identified these success entries?  Do you need to change some rules in your System Policy or Firewall Policy to enable the appropriate logging?

Have you commented out "On Error Resume Next" lines in the script so that you can help the script cough up more useful error messages?  Another approach is to add the procedure below and call it at various times in the script after you attempt actions that are likely to fail, e.g., when you do calls to WMI like "GetObject("winmgmts:{(Security)}\\" & sComputerName).ExecQuery()" then you are likely to get errors when it cannot establish the DCOM-RPC channel:

Sub CatchAnyErrorsAndQuit(sMessage)
   Dim oStdErr
   If Err.Number <> 0 Then
       Set oStdErr  = WScript.StdErr  'Write to standard error stream.
       oStdErr.WriteLine vbCrLf
       oStdErr.WriteLine ">>>>>> ERROR: " & sMessage
       oStdErr.WriteLine "Error Number: " & Err.Number
       oStdErr.WriteLine " Description: " & Err.Description
       oStdErr.WriteLine "Error Source: " & Err.Source 
       oStdErr.WriteLine " Script Name: " & WScript.ScriptName
       oStdErr.WriteLine vbCrLf
       WScript.Quit Err.Number
   End If
End Sub


Here is another way to isolate if it really is a problem establishing a WMI connection: Save the little script below to a .vbs file on your client machine, run it in a CMD shell with cscript.exe by passing in the IP address of the remote ISA Server box.  The script will just dump some Security event log data if successful (showing that WMI connectivity is good) or it will cough up an error of some type.  If you can get some data with this script, then it's not a WMI problem, it's something else.  Also, and this is very important, you have to run the script as the user account under which your other script is running; you can do this with RUNAS.EXE or by logging on as that user, which I'm assuming is a user account for scheduled job, but please be mindful of the problems that arise when using two local accounts (one at client, one at ISA) instead of one global account.


'Pass in remote target's IP address as a command-line argument.
sIPaddress = WScript.Arguments.Item(0)
Set oWMI = GetObject("WinMgmts:{(Security)}!//" & sIPaddress & "/root/cimv2")
Set cCollection = oWMI.ExecQuery("SELECT * FROM Win32_NTLogEvent WHERE logfile = 'Security'")
For each oItem in cCollection
   Wscript.Echo "Record number: "      & oItem.RecordNumber
   Wscript.Echo "Computer name: "      & oItem.Computername
   Wscript.Echo "User: "               & oItem.User
   Wscript.Echo "Source name: "        & oItem.SourceName
   Wscript.Echo "Event code: "         & oItem.EventCode
   Wscript.Echo vbCrLf & "--------------------------------------" & vbCrLf
Next


You can also run the above little script on the ISA box itself, but make sure to pass in a single period (" . ") as the argument to let WMI know you want to connect locally.  If this works, but over the network doesn't, then this also helps to isolate the cause of the problem.

If it really is ISA's RPC Filter that's getting in the way, confirm this by temporarily disabling the RPC Filter (Configuration > Add-Ins > Application Filters tab) and trying the script(s) again.  If WMI connections work when the RPC Filter is disabled, but fail when it's enabled, then you've got something to go with...


(in reply to locholi)
Post #: 4
RE: Eventlog Dump from a server with ISA Standard 2004 SP1 - 13.Dec.2005 7:21:01 AM   
Jim Harrison

 

Posts: 271
Joined: 5.May2001
From: Redmond, WA
Status: offline
Don't disable the RPC filter.
While it does block DCOM (the basis for remote WMI), it also serves a *VERY* valuable purpose in filtering out garbage RPC calls to the ISA.

Instead, have the script run *at* the ISA itself and dump the text to a remote share.This uses SMB traffic, which can leave ISA quite easily.

_____________________________

Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
My ISAServer.org Stuff
My Site

(in reply to J.F.)
Post #: 5
RE: Eventlog Dump from a server with ISA Standard 2004 SP1 - 13.Dec.2005 6:31:38 PM   
locholi

 

Posts: 5
Joined: 5.Dec.2005
Status: offline
If I start the script I will receive the following result:

>>>>>> ERROR: GetObject fails.
Error Number: 462
Description: The remote server machine does not exist or is unavailable
Error Source: Microsoft VBScript runtime error
Script Name: test.vbs

On the FW I can see a log entry like this one:

Log Time Client IP Source Port Source Network Destination IP Destination Port Destination Network Transport Protocol Action Rule Result Code HTTP Status Code Client Username URL Server Name Log Record Type Original Client IP Client Agent Authenticated Client Service Referring Server Destination Host Name HTTP Method MIME Type Object Source Source Proxy Destination Proxy Bidirectional Client Host Name Filter Information Network Interface Raw IP Header Raw Payload GMT Log Time Processing Time Bytes Sent Bytes Received Cache Information Error Information
13.12.2005 18:17:53 10.185.6.97 2046 Internal 195.213.41.91 135 Local Host TCP RPC (all interfaces) Closed Connection Allow remote management from selected computers using MMC 0x80074e24 FWX_E_CONNECTION_KILLED   - FWTEMP1 Firewall 10.185.6.97    -  - -    No  -    13.12.2005 17:17:53 16 140 376 0x0 0x0

Why kill the FW this RPC connection? You will fin the error FWX_E_CONNECTION_KILLED in the log.

If I connect with the mmc from a remote computer and I will connect to the eventvwr.msc this works without problems. The log will show this steps:

Log Time Client IP Source Port Source Network Destination IP Destination Port Destination Network Transport Protocol Action Rule Result Code HTTP Status Code Client Username URL Server Name Log Record Type Original Client IP Client Agent Authenticated Client Service Referring Server Destination Host Name HTTP Method MIME Type Object Source Source Proxy Destination Proxy Bidirectional Client Host Name Filter Information Network Interface Raw IP Header Raw Payload GMT Log Time Processing Time Bytes Sent Bytes Received Cache Information Error Information
13.12.2005 18:27:32 10.185.6.97 1706 Internal 195.213.41.91 445 Local Host TCP Microsoft CIFS (TCP) Closed Connection Allow access from trusted computers to the Firewall Client installation share on ISA Server 0x80074e20 FWX_E_GRACEFUL_SHUTDOWN   - FWTEMP1 Firewall 10.185.6.97    -  - -    Yes  -    13.12.2005 17:27:32 679015 623302 2594050 0x0 0x0
13.12.2005 18:27:32 10.184.28.156 1723 Internal 195.213.41.91 8080 Local Host TCP Unidentified IP Traffic Closed Connection  0x80074e21 FWX_E_ABORTIVE_SHUTDOWN   - FWTEMP1 Firewall 10.184.28.156    -  - -    Yes  -    13.12.2005 17:27:32 122000 3532 6045 0x0 0x0
13.12.2005 18:27:41 10.185.6.97 3837 Internal 195.213.41.91 445 Local Host TCP Microsoft CIFS (TCP) Initiated Connection Allow access from trusted computers to the Firewall Client installation share on ISA Server 0x0    - FWTEMP1 Firewall 10.185.6.97    -  - -    Yes  -    13.12.2005 17:27:41 0 0 0 0x0 0x0
13.12.2005 18:27:41 10.185.6.97 3838 Internal 195.213.41.91 139 Local Host TCP NetBios Session Initiated Connection Allow remote management from selected computers using MMC 0x0    - FWTEMP1 Firewall 10.185.6.97    -  - -    Yes  -    13.12.2005 17:27:41 0 0 0 0x0 0x0
13.12.2005 18:27:41 10.185.6.97 3838 Internal 195.213.41.91 139 Local Host TCP NetBios Session Closed Connection Allow remote management from selected computers using MMC 0x80074e21 FWX_E_ABORTIVE_SHUTDOWN   - FWTEMP1 Firewall 10.185.6.97    -  - -    Yes  -    13.12.2005 17:27:41 0 88 48 0x0 0x0
13.12.2005 18:27:42 10.185.6.97 8 Internal 195.213.41.91 0 Local Host ICMP Ping Initiated Connection Allow ICMP (PING) requests from selected computers to ISA Server 0x0    - FWTEMP1 Firewall 10.185.6.97    -  - -    No  -    13.12.2005 17:27:42 0 0 0 0x0 0x0
13.12.2005 18:27:43 10.185.6.97 3851 Internal 195.213.41.91 445 Local Host TCP Microsoft CIFS (TCP) Initiated Connection Allow access from trusted computers to the Firewall Client installation share on ISA Server 0x0    - FWTEMP1 Firewall 10.185.6.97    -  - -    Yes  -    13.12.2005 17:27:43 0 0 0 0x0 0x0
13.12.2005 18:27:52 10.185.6.97 3851 Internal 195.213.41.91 445 Local Host TCP Microsoft CIFS (TCP) Closed Connection Allow access from trusted computers to the Firewall Client installation share on ISA Server 0x80074e20 FWX_E_GRACEFUL_SHUTDOWN   - FWTEMP1 Firewall 10.185.6.97    -  - -    Yes  -    13.12.2005 17:27:52 9000 3581 1820 0x0 0x0
13.12.2005 18:28:17 10.185.6.97 3963 Internal 195.213.41.91 445 Local Host TCP Microsoft CIFS (TCP) Initiated Connection Allow access from trusted computers to the Firewall Client installation share on ISA Server 0x0    - FWTEMP1 Firewall 10.185.6.97    -  - -    Yes  -    13.12.2005 17:28:17 0 0 0 0x0 0x0
13.12.2005 18:28:26 10.185.6.97 3963 Internal 195.213.41.91 445 Local Host TCP Microsoft CIFS (TCP) Closed Connection Allow access from trusted computers to the Firewall Client installation share on ISA Server 0x80074e20 FWX_E_GRACEFUL_SHUTDOWN   - FWTEMP1 Firewall 10.185.6.97    -  - -    Yes  -    13.12.2005 17:28:26 9000 4029 2120 0x0 0x0

The mmc will do an authentication with the CIFS protocol. Why will the vbscript doesn't authenticate it?
Thanks and best regards
Oliver 


(in reply to locholi)
Post #: 6
RE: Eventlog Dump from a server with ISA Standard 2004 SP1 - 14.Dec.2005 12:48:08 AM   
J.F.

 

Posts: 43
Joined: 28.Nov.2005
Status: offline
Hi Oliver:

> 0x80074e24 FWX_E_CONNECTION_KILLED

This is evidence that the DCOM connection is being actively killed by ISA of course...

To confirm that the RPC Filter is the culprit, try temporarily unbinding the RPC Filter from the "RPC (All Interfaces)" protocol (properties of that protocol > Parameters tab > uncheck the box for the application filter binding) or temporarily disabling the entire RPC Filter add-in.  If this permits the connection through, then you can start looking at options.  If the WMI-DCOM still doesn't work, then something else is getting in the way.

Like Jim said, disabling the RPC Filter permanently would be quite a sacrifice; I agree that it would be much better to run the query locally and then ship out the data.  Your SendMail() procedure can also be modified to use TLS (for SMTPS) and a username/password, if necessary, since CDOSYS supports this natively. 

You might also be able to disable the relevant System Policy rule (#2), create a special access rule with a custom RPC protocol which allows the WMI-DCOM from just the box doing the WMI query, and then disable strict RPC checking in that access rule or, if necessary, disable the RPC Filter for the custom RPC protocol used in it -- but, unfortunately, this is what you said in your first post that you tried and that it didn't work...  The fact that this didn't work suggests something else is getting in the way (or that an error was made in the work-around) and it would be interesting to see why it didn't work...

   JF


(in reply to locholi)
Post #: 7
RE: Eventlog Dump from a server with ISA Standard 2004 SP1 - 14.Dec.2005 10:48:16 AM   
locholi

 

Posts: 5
Joined: 5.Dec.2005
Status: offline
Hi JF,
Thanks for your response.
The problem is the RPC filter. Asap I have deactivated and the FW services restarted I can view the eventlogs from remote.
But if I activate RPC filter and deactivate the using of the RPC filter in the RPC (all interfaces) protocol, I have the same problem.
It is very strange this ISA server because I can disable the using of RPC filter (but it is still activated as add-in) and the filter still blocks the connection.
What can I do in this situation?
Regards
Oliver

(in reply to J.F.)
Post #: 8
RE: Eventlog Dump from a server with ISA Standard 2004 SP1 - 14.Dec.2005 11:06:35 AM   
locholi

 

Posts: 5
Joined: 5.Dec.2005
Status: offline
Hi JF,
I have improvement to my last post.
Asap I deactivate the RPC filter using from the "RPC (all interfaces)" protocol I can read the Eventlogs from a remote connection. The problem was before I didn't restarted the FW services. After the FW services it works.
Now, I have a little insecureness. What could happen if I deactive the using of the RPC filter in the "RPC (all interfaces)" protocol with the other rules which have used it?
Could it possible that some other RPC connections don't work anymore?
Regards
Oli

(in reply to locholi)
Post #: 9
RE: Eventlog Dump from a server with ISA Standard 2004 SP1 - 14.Dec.2005 7:15:51 PM   
J.F.

 

Posts: 43
Joined: 28.Nov.2005
Status: offline
Hi Oliver:

If it works after unbinding the RPC Filter from the "RPC (All Interfaces)" protocol, then that's good news!  Try disabling System Policy rule #2, create an access rule with a custom RPC protocol which allows the WMI-DCOM traffic from just the one box doing the WMI query to the ISA Server, then unbind the RPC Filter from that new custom protocol.  This way, the RPC Filter won't block the WMI-DCOM for your queries but all the other rules using the "RPC (All Interfaces)" protocol can still enjoy the protection of the RPC Filter (since that protocol will still be bound to the filter). 

If you have other management traffic that needs System Policy rule #2, though, you'll need to add other access rules to allow that traffic.  And, if the box from which you're running the WMI queries from becomes compromised with an RPC-related worm, then your ISA Server might not be protected from that box anymore, hence, keep that querying box patched and secure.  Jim's recommendation is still the overall best (running the queries locally, etc.), but it sounds like you'd rather not rewrite the script. 

> What could happen if I deactive the using of the RPC filter in the "RPC (all interfaces)"
> protocol with the other rules which have used it? Could it possible that some other RPC
> connections don't work anymore?

Possible, but more likely that nothing would be blocked.  The bigger issue is that you would lose the benefit of the RPC Filter for this other traffic, which is one of the nicest features of ISA.  That's why a custom protocol and an access rule for just the one IP address of the querying computer would be better (it limits which machines aren't going through the RPC Filter anymore). 

  JF


(in reply to locholi)
Post #: 10

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Misc.] >> ISA Server 2004 Programming >> Eventlog Dump from a server with ISA Standard 2004 SP1 Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts