Thu, Jan 27 2005 0:33
So have you read your log files today?
You heard me. Have you looked at your log files today? Today I was looking at the log files of a SBS box and in looking at the Security Log files, the IIS log files we found we were missing one key element. The firewall log files. Today I was looking at a security log file with a bunch of event 529 codes which indicate bad login [more security code analysis here] we had one big problem. We didn't have the firewall log files to then make the connection between the Security log files and the IIS log files and compare the patterns. There was a pattern of 529 codes and then a patter of 680 codes. Furthermore the error code was
||An incorrect password was supplied which means there was indeed an incorrect password given.|
Product: Windows Operating System
Symbolic Name: SE_AUDITID_ACCOUNT_LOGON
Message: Logon attempt by: %1
Logon account: %2
Source Workstation: %3
Error Code: %4
Furthermore in the firewall logs you should be able to see exactly what IP address they are coming in from.
Unfortunately we don't have that. We do have the IIS log files that we can do a bit of analysis on but it may not be a bad idea to review what the IIS is logging as default and what we may want to kick up. The default of the SBS IIS logging looks like this:
Now that we've reviewed that .. do we know where the IIS log files end up?
In that location and in that naming sequence.
So where's the log files on SBS standard if you use a two nic setup for it's firewall? Hmmm...good question.. I'm not really sure myself. Okay looks like it's here: C:\WINDOWS\system32\LogFiles but I can't tell if there is logging enabled? I think I may ask around.. I know that we get a RRAS report of the firewall use, but not sure where the data get stored for long term analysis.
For SBS 2003 Premium, you must make sure that you set up the monitoring in ISA to view the log files [soon to be ISA 2004] and I'll admit that I use Excel many times for that log file but you can use the tools at isatools.org
So on your firewall, whereever it is. Have you looked at YOUR log files lately? Are they as tweaked as they can be?
Filed under: Security, ISA Server