URLScan Logging

From: Thor@HammerofGod.com
Date: 11/03/01


From: Thor@HammerofGod.com
To: FOCUS-MS@SECURITYFOCUS.COM
Message-ID: <029401c163f4$139c1250$af05a8c0@anchorsign.com>
Subject: URLScan Logging
Date: Fri, 2 Nov 2001 15:14:03 -0800

Greetings:

We like to log server activity such as the IIS and ISA logs to a SQL server
for fast and efficient reporting of the log data. While MS's URLScan is a
great little filter program for IIS, its logging options are minimal. It
basically creates a single file to hold all log records for filtered URLs.
In our shop, it can get pretty big pretty quick, and it is rather difficult
to review.

I've created a DTS package that runs nightly on our logging SQL server that
ftp's in the urlscan.log from the servers we want (this way you can leave
IIS running), parses the data into a temp table, and posts only the
preceding day's activity to the warehouse table (run it after midnight). It
really speeds up the review process, and allows you to group by server, date
range, or ip address for incident response.

It has helped us manage the URLScan logs, so I've stuck it on the
http://www.hammerofgod.com site under downloads for anyone interested in
taking a look at it. You've got to make a couple of changes to the DTS
package to work with your servers, so read the readme.

Later.
---------------------------------
Attonbitus Deus
rm -rf /bin/laden