Re: URLScan for IISFrom: Attonbitus Deus (Thor@HAMMEROFGOD.COM)
- Previous message: Michelle Erbeck: "ASP script to parse URLSCAN.log file and add to a database."
- In reply to: Lester, Don: "URLScan for IIS"
- Next in thread: James M. Truxon: "Re: URLScan for IIS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <firstname.lastname@example.org> Date: Fri, 2 Nov 2001 15:41:17 -0800 From: Attonbitus Deus <Thor@HAMMEROFGOD.COM> Subject: Re: URLScan for IIS To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
> Ok, first of all, if you haven't used this utility yet I think you owe it
> yourself to at least spend some time on a test box and see what it can do.
> It is very easy to install, and the filtering it does could potentially
> you a huge headache in the future
I really like it... I just posted this to another list, and seeing this post
here, though the following applicable:
We like to log server activity such as the IIS and ISA logs to a SQL server
for fast and efficient reporting of the log data. While MS's URLScan is a
great little filter program for IIS, its logging options are minimal. It
basically creates a single file to hold all log records for filtered URLs.
In our shop, it can get pretty big pretty quick, and it is rather difficult
I've created a DTS package that runs nightly on our logging SQL server that
ftp's in the urlscan.log from the servers we want (this way you can leave
IIS running), parses the data into a temp table, and posts only the
preceding day's activity to the warehouse table (run it after midnight). It
really speeds up the review process, and allows you to group by server, date
range, or ip address for incident response.
It has helped us manage the URLScan logs, so I've stuck it on the
http://www.hammerofgod.com site under downloads for anyone interested in
taking a look at it. You've got to make a couple of changes to the DTS
package to work with your servers, so read the readme.
rm -rf /bin/laden