• Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

How do I NOT log Denied entries?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Logging and Reporting >> How do I NOT log Denied entries? Page: [1]
Message << Older Topic   Newer Topic >>
How do I NOT log Denied entries? - 21.Jul.2006 5:35:15 PM   


Posts: 34
Joined: 12.Nov.2003
From: Burlington, VT
Status: offline
ISA Server 2004 Enterprise
Dual NICs

All Firewall rules are being logged --- with the last Firewall rule being:

Rule name: HTTP Access
Type: Array Access Policy
Action: Allow
         Log requests matching this rule
Protocols: All outbound Traffic
From: Internal
To: External, Internal
Users: Domain Internet Users
Schedule: Always
Content Types: All content types

All end users are running XP, with their browser (IE) configured to use the ISA as it's proxy server.
All users who are allowed Internet Access are a member of the Windows Group: Domain Internet User Group

Since it looks like the browser tries to make an Anonymous connection to the requested site first (12209) before using the authenticated login for that user, I'm getting "dual entries" in my logs -- an example would be:, anonymous, Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322), N, 7/21/2006, 11:01:50, w3proxy, ISA2, -, www.oldnavy.com,, 8080, 1, 475, 4516, http, TCP, GET, http://www.oldnavy.com/Asset_Archive/ONWeb/content/0000/405/901/assets/footer_sundaysad_off.gif, -, -, 12209, 0x0, HTTP Access, -, Internal, External, 0x880, Denied, 7/21/2006 15:01:50

then followed by the attempt, using the authenticated user account:, FAHC\Mxxxxxx, Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322), Y, 7/21/2006, 11:01:51, w3proxy, ISA2, -, www.oldnavy.com,, 80, 390, 571, 2908, http, TCP, GET, http://www.oldnavy.com/Asset_Archive/ONWeb/content/0000/405/901/assets/footer_sundaysad_off.gif, image/gif, VCache, 304, 0x800000, HTTP Access, -, Internal, External, 0xd80, Allowed, 7/21/2006 15:01:51

thus, creating a "duplicate" entry in the log. (we'll ignore that it's for Shopping!)

I don't care to log the internal-to-external, non-authenticated-anonymous attempts -- PLUS, a typical daily log for us is just topping 2GB PER DAY.
If I can resolve this, I can cut my log file size by about 50%
How can I prevent this specific "anonymous" entry from being logged?  Would I create a Deny rule before my last rule (HTTP Access) and tell the rule to NOT log access from that rule?  If so, how would I identify this "anonymous" user?



A Hardesty
Fletcher Allen Health Care
Burlington, VT
Post #: 1
RE: How do I NOT log Denied entries? - 16.Aug.2006 6:27:56 PM   


Posts: 26
Joined: 18.May2002
From: Per·
Status: offline
Hi Ahardesty, a few months ago I needed to block some traffic from my reports. Don't know if this is going to help you as it did with me but this (http://forums.isaserver.org/m_2002004371/mpage_1/key_log%2ctraffic%2creports/tm.htm#2002004371) is the link of the answer Tshinder gave me then.

Hope won´t be too late for you!!!

My god!!!  ...just read the question I made then and excuse me everybody who read that!!! ...English is not my mother language and I think I was problably drunk or sleepy when I wrote that hahaha!!!

Enrique León

(in reply to ahardesty)
Post #: 2

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Logging and Reporting >> How do I NOT log Denied entries? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts