Welcome to ISAserver.org

How do I NOT log Denied entries?

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 Firewall] >> Logging and Reporting >> How do I NOT log Denied entries?

Page: [1]

Message

<< Older Topic Newer Topic >>

How do I NOT log Denied entries? - 21.Jul.2006 5:35:15 PM

ahardesty

Posts: 34
Joined: 12.Nov.2003
From: Burlington, VT
Status: offline

THE DETAILS:
ISA Server 2004 Enterprise
Dual NICs

All Firewall rules are being logged --- with the last Firewall rule being:

Rule name: HTTP Access
Type: Array Access Policy
Action: Allow
Log requests matching this rule
Protocols: All outbound Traffic
From: Internal
To: External, Internal
Users: Domain Internet Users
Schedule: Always
Content Types: All content types

All end users are running XP, with their browser (IE) configured to use the ISA as it's proxy server.
All users who are allowed Internet Access are a member of the Windows Group: Domain Internet User Group

Since it looks like the browser tries to make an Anonymous connection to the requested site first (12209) before using the authenticated login for that user, I'm getting "dual entries" in my logs -- an example would be:

10.194.80.106, anonymous, Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322), N, 7/21/2006, 11:01:50, w3proxy, ISA2, -, www.oldnavy.com, 10.33.24.21, 8080, 1, 475, 4516, http, TCP, GET, http://www.oldnavy.com/Asset_Archive/ONWeb/content/0000/405/901/assets/footer_sundaysad_off.gif, -, -, 12209, 0x0, HTTP Access, -, Internal, External, 0x880, Denied, 7/21/2006 15:01:50

then followed by the attempt, using the authenticated user account:

10.194.80.106, FAHC\Mxxxxxx, Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322), Y, 7/21/2006, 11:01:51, w3proxy, ISA2, -, www.oldnavy.com, 209.18.34.7, 80, 390, 571, 2908, http, TCP, GET, http://www.oldnavy.com/Asset_Archive/ONWeb/content/0000/405/901/assets/footer_sundaysad_off.gif, image/gif, VCache, 304, 0x800000, HTTP Access, -, Internal, External, 0xd80, Allowed, 7/21/2006 15:01:51

thus, creating a "duplicate" entry in the log. (we'll ignore that it's for Shopping!)

THE PROBLEM:
I don't care to log the internal-to-external, non-authenticated-anonymous attempts -- PLUS, a typical daily log for us is just topping 2GB PER DAY.
If I can resolve this, I can cut my log file size by about 50%

THE QUESTION:
How can I prevent this specific "anonymous" entry from being logged? Would I create a Deny rule before my last rule (HTTP Access) and tell the rule to NOT log access from that rule? If so, how would I identify this "anonymous" user?

Thanks.

_____________________________

A Hardesty
Fletcher Allen Health Care
Burlington, VT

Post #: 1

Featured Links*

RE: How do I NOT log Denied entries? - 16.Aug.2006 6:27:56 PM

eleon

Posts: 26
Joined: 18.May2002
From: Per�
Status: offline

Hi Ahardesty, a few months ago I needed to block some traffic from my reports. Don't know if this is going to help you as it did with me but this (http://forums.isaserver.org/m_2002004371/mpage_1/key_log%2ctraffic%2creports/tm.htm#2002004371) is the link of the answer Tshinder gave me then.

Hope won�t be too late for you!!!

My god!!!

...just read the question I made then and excuse me everybody who read that!!! ...English is not my mother language and I think I was problably drunk or sleepy when I wrote that hahaha!!!