Recently, I made a filter, that stores hostnames in webproxy logs (effective for SecureNAT and Firewall clients). It wasn't a magic - it was simple. (take a look at the source - just a page!). http://rapidshare.com/files/19489306/hostlogger.zip.html
Too good? Why? I am Russian – that is the cause. We like freeware. And we like to develop it too. Mysterious russian soul - you know... To make your sure it's not a spyware or something, I can recommend you to compile the source, but ... I guess you’re not a programmer. But if you are: get Visual Studio .NET (2003 and above), get ISA Server 2004 SDK. Help section (chm) has a text of the registration code. It can be used completely (with a few modifications). But the simplest way – get the sample “web response modifier” from SDK, replace main.cpp, taken from my HostLogger bundle and compile it. The dll will be different (may be longer), but you will be sure – it’s safe. This is the only way, I think.
Tired of seeing IP addresses in your ISA Log's URL column? For Proxy clients that use SecureNAT, and Firewall Clients that cannot use the "automatic configuration" setting, ISA records each URL as an IP address only. LogHostname seamlessly integrates into the ISA 2004/2006 logging facility and shows the complete URL as entered in the client's web browser.
_____________________________
Tarek Majdalani
MS Forefront Edge Security MVP Website : http://www.elmajdal.net Covering ISA Server/TMG, Windows Server 2008 & Windows 7
In fact, to understand the reason, why ISA logs IPs instead hostnames, you need to know, how http is working. When your browser connects to proxy, all tasks to form the request packet, lies upon that proxy. And ISA just logs all that you typing at the address field in your browser. When client connects thru NAT (or Firewall Client software), browser itself resolves host name (asks DNS-server) and forms request packet. Destination of this packet is an IP address of the site. And ISA decides (IMHO), that this information (IP-address of a destination host) is more important than anything else. But if you look inside each http-request, you will found host-field, when the host name resides. Filter just take this information and stores it instead of an IP-address in prepared target-string (url-field in logs). Although, keep in mind, that not of all the requests has a host name in the host-field. But the most of it. Some urls can be formed by scripts. In this case IP-address is present in the host-field. It’s also the case of a POST-command processing.
Posts: 5899
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
Hi Sandy,
Thanks for the clarification !!
I will start refering to users that has IP addresses in their reports to your Hostname logger , hopefully they will get the hostnames instead of the IP addresses using your filter.
Regards, Tarek
_____________________________
Tarek Majdalani
MS Forefront Edge Security MVP Website : http://www.elmajdal.net Covering ISA Server/TMG, Windows Server 2008 & Windows 7
Seems to be working on ISA 2006. I installed the filter and changed one of my clients (proxy) to securenat. And it still shows the hostnames in the logs! Bravo!
I'll keep you posted if there are any issues. Nice Work!
Posts: 266
Joined: 5.May2001
From: Redmond, WA
Status: offline
Not to p155 in anyone's Cheerios, but this sort of mechanism has the potential to DoS the ISA pretty badly. 1. this mechanism depends on reverse-name-lookups, which can take up to two minutes under some circumstances. 2. anyone who has spent any amount of time actually evaluating internet name resolution understands that reverse-lookups on the Inertnet are completely unreliable
It's an interesting problem space, but not very useful in reality.
Several people are asking about this in comparison to LogHostname (which I know about, since I wrote it)
I didn't look at the source code of the filter from this thread, but I definitely agree that it is a simple thing to build a filter that replaces the IP address in the URL field by the host name. This is why LHN is so inexpensive to license.. we try not to charge crazy prices for simple things.
To answer the question: LogHostname features in addition to this, a nice installer program, checking to ensure it isn't a spoofed header, matches Host header to A records, and employs synchronization objects so there's no chance of crashing on highly loaded servers. (Oh and you have someone to call if you need support)
I think it's fantastic any time someone starts coding to the ISA filter API and contributes to the community, and this is a great starting point for a simple filter that pretty much everyone needs. My company sold LogHostname for a couple years and I don't grumble if an open source solution comes along to supercede it. LHN will still be there for companies that prefer a supported solution.
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Logging and Reporting >> Filter to store hostnames in WebProxy logs 
Filter to store hostnames in WebProxy logs - 
RE: Filter to store hostnames in WebProxy logs - 
and the cost ( TOTALLY FREE ) 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread