+ Post New Thread
Results 1 to 9 of 9
Internet Related/Filtering/Firewall Thread, ISA Logs - Help Needed in Technical; I have been asked to sift thru our ISA logs to find information on a member of staff's (lets call ...
  1. #1

    Gatt's Avatar
    Join Date
    Jan 2006
    Posts
    6,644
    Thank Post
    858
    Thanked 645 Times in 428 Posts
    Rep Power
    498

    ISA Logs - Help Needed

    I have been asked to sift thru our ISA logs to find information on a member of staff's (lets call them Zeus) internet usage and get the following info..

    What sites Zeus has access
    When and for how long the site has been accessed
    Exclude "idle" sessions to the website (ie minimised browser, etc)

    I have retrieved the ISA web logs and imported them into Excel and can do a rough filter on the IP and website but need to know how to narrow this down further so we can say:

    Zeus accessed site xxx.yyy.zzz on <date> at <time> for <duration> (hours/minutes) from <ip>

    Anyone know of any good softawre that can do this, or excel formulae or even ISA itself?

    This is to be compiled on a per day basis for 2 weeks....

    Also - any legal issues to take into account?

    On the plus side - This should make a good case to extend our Smoothie box licences to cover staff PC's now!

  2. #2
    ArchersIT's Avatar
    Join Date
    Nov 2006
    Location
    Bedfordshire
    Posts
    114
    Thank Post
    14
    Thanked 24 Times in 20 Posts
    Rep Power
    20
    I do not beleive that it is possible to be certain as to duration from ISA logs (and indeed, most other proxy servers I am aware of). I would strongly suspect that no proxy server could work out how much time the browser was open on a site and minimised for it.

    The issue comes when there is a page request at 12:10 and a second request at 12:15. Did they take 5 minutes to read the page or did they minimise it imbetween? Even if there is a request every minute, is this an auto refresh script on the page rather than an action?

    When we have had similar issues with people needing to be investigated and it is a very difficult area to be certain about so I would be very cautious about making the kind of absoloute claims you seem to be wanting to do.

    Jonathan

  3. 2 Thanks to ArchersIT:

    Gatt (5th November 2009), tom_newton (5th November 2009)

  4. #3


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,461
    Thank Post
    866
    Thanked 845 Times in 667 Posts
    Rep Power
    195
    Archers is right - the concept of "time spent browsing" is hazy at best. There are such reports in SmoothWall, yes, but they work in the usual "request window" way - we have no way to tell if someone had the window minimized. The results are only useful as a guideline really.

    Depending on the *type* of site visited - ie if it is a public site, and not one requiring signon, it may be possible to manually estimate these things. And if it is facebook or webmail it is possible to look at various "actions" such as profile reads, message sends, etc. but this needs time and effort.

  5. Thanks to tom_newton from:

    Gatt (5th November 2009)

  6. #4

    Gatt's Avatar
    Join Date
    Jan 2006
    Posts
    6,644
    Thank Post
    858
    Thanked 645 Times in 428 Posts
    Rep Power
    498
    Thanks folks

    Dont want to go into it too much for obvious reasons but we are talking about certain Social Networks and Shopping sites...

  7. #5
    ArchersIT's Avatar
    Join Date
    Nov 2006
    Location
    Bedfordshire
    Posts
    114
    Thank Post
    14
    Thanked 24 Times in 20 Posts
    Rep Power
    20
    Yes, this is the kind of thing that it normally is. We always restrict our reports to "this person accessed this site at this time" kind of reports. If they want us to manually estimate the duration, we will do, but this is done manually and with several caveats.

    If the person has been asked to only access those sites at certain times (e.g. only at lunch or after school) then the duration is fairly irrelevant anyway. If the person has been told that they can only do it for a certain length of time then it is much more difficult.

    Jonathan

  8. #6


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,461
    Thank Post
    866
    Thanked 845 Times in 667 Posts
    Rep Power
    195
    Quote Originally Posted by Gatt View Post
    Thanks folks

    Dont want to go into it too much for obvious reasons but we are talking about certain Social Networks and Shopping sites...
    I'd say that's doable - you can prove certain "classes" of URL. Eg a product search on shopping sites, or a revisit of a specific item. How's your Perl?

  9. #7

    Gatt's Avatar
    Join Date
    Jan 2006
    Posts
    6,644
    Thank Post
    858
    Thanked 645 Times in 428 Posts
    Rep Power
    498
    Not good but could learn quickly if needs be!

  10. #8
    jsnetman's Avatar
    Join Date
    Oct 2007
    Posts
    887
    Thank Post
    23
    Thanked 134 Times in 126 Posts
    Rep Power
    39
    I had to do this kind of thing about a year ago, you can do a formula in excel to estimate how long they have roughly spent on the web, but as mentioned in previous post it's impossible to be accurate. But it would give a rough idea. You can calculate the time between hits and also only calculate hits within a certain time i.e. within say 30 seconds, thus indicating that they are probably browsing, but again not accurate. i will dig out the spreadsheet tomorrow and see if I can locate the sum.

  11. Thanks to jsnetman from:

    Gatt (5th November 2009)

  12. #9


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,461
    Thank Post
    866
    Thanked 845 Times in 667 Posts
    Rep Power
    195
    Quote Originally Posted by Gatt View Post
    Not good but could learn quickly if needs be!
    We can probably help you out - it's certainly the best tool for the job.

  13. Thanks to tom_newton from:

    Gatt (6th November 2009)

SHARE:
+ Post New Thread

Similar Threads

  1. Advice needed...ISA & Internet
    By Matt_Tate in forum Internet Related/Filtering/Firewall
    Replies: 1
    Last Post: 26th March 2009, 10:20 PM
  2. Moodle logs
    By alan-d in forum Virtual Learning Platforms
    Replies: 7
    Last Post: 21st November 2007, 02:30 PM
  3. Squid logs
    By srochford in forum How do you do....it?
    Replies: 12
    Last Post: 13th April 2007, 12:53 PM
  4. ISA 2004 anonymous in web logs....
    By mullet_man in forum Wireless Networks
    Replies: 5
    Last Post: 6th December 2006, 05:15 PM
  5. ISA server logs
    By krisd32 in forum Windows
    Replies: 4
    Last Post: 27th September 2006, 02:29 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •