ISA Logs - Help Needed

[Gatt]

I have been asked to sift thru our ISA logs to find information on a member of staff's (lets call them Zeus) internet usage and get the following info..

What sites Zeus has access
When and for how long the site has been accessed
Exclude "idle" sessions to the website (ie minimised browser, etc)

I have retrieved the ISA web logs and imported them into Excel and can do a rough filter on the IP and website but need to know how to narrow this down further so we can say:

Zeus accessed site xxx.yyy.zzz on <date> at <time> for <duration> (hours/minutes) from <ip>

Anyone know of any good softawre that can do this, or excel formulae or even ISA itself?

This is to be compiled on a per day basis for 2 weeks....

Also - any legal issues to take into account?

On the plus side - This should make a good case to extend our Smoothie box licences to cover staff PC's now!

[ArchersIT]

I do not beleive that it is possible to be certain as to duration from ISA logs (and indeed, most other proxy servers I am aware of). I would strongly suspect that no proxy server could work out how much time the browser was open on a site and minimised for it.

The issue comes when there is a page request at 12:10 and a second request at 12:15. Did they take 5 minutes to read the page or did they minimise it imbetween? Even if there is a request every minute, is this an auto refresh script on the page rather than an action?

When we have had similar issues with people needing to be investigated and it is a very difficult area to be certain about so I would be very cautious about making the kind of absoloute claims you seem to be wanting to do.

Jonathan

[tom_newton]

Archers is right - the concept of "time spent browsing" is hazy at best. There are such reports in SmoothWall, yes, but they work in the usual "request window" way - we have no way to tell if someone had the window minimized. The results are only useful as a guideline really.

Depending on the *type* of site visited - ie if it is a public site, and not one requiring signon, it may be possible to manually estimate these things. And if it is facebook or webmail it is possible to look at various "actions" such as profile reads, message sends, etc. but this needs time and effort.

[Gatt]

Thanks folks

Dont want to go into it too much for obvious reasons but we are talking about certain Social Networks and Shopping sites...

[ArchersIT]

Yes, this is the kind of thing that it normally is. We always restrict our reports to "this person accessed this site at this time" kind of reports. If they want us to manually estimate the duration, we will do, but this is done manually and with several caveats.

If the person has been asked to only access those sites at certain times (e.g. only at lunch or after school) then the duration is fairly irrelevant anyway. If the person has been told that they can only do it for a certain length of time then it is much more difficult.

Jonathan

[tom_newton]

Thanks folks

Dont want to go into it too much for obvious reasons but we are talking about certain Social Networks and Shopping sites...

I'd say that's doable - you can prove certain "classes" of URL. Eg a product search on shopping sites, or a revisit of a specific item. How's your Perl?

[Gatt]

Not good but could learn quickly if needs be!

[jsnetman]

I had to do this kind of thing about a year ago, you can do a formula in excel to estimate how long they have roughly spent on the web, but as mentioned in previous post it's impossible to be accurate. But it would give a rough idea. You can calculate the time between hits and also only calculate hits within a certain time i.e. within say 30 seconds, thus indicating that they are probably browsing, but again not accurate. i will dig out the spreadsheet tomorrow and see if I can locate the sum.

[tom_newton]

Not good but could learn quickly if needs be!

We can probably help you out - it's certainly the best tool for the job.