On Tue, 16 Dec 2003, Jason Haar wrote: > > We have created a tool that is directly integrated into IIS (ISAPI > > filter). It emits log data via syslog when IIS reaches certain points of > > its internal processing (e.g. begin and end of http request). > > Why do you output to syslog? Such a debugging application typically > outputs to a logfile - no? > the IIS "logging improver" isn't primarily designed for debugging. it's designed for intrusion detection and system monitoring. the situation we specifically had in mind is the one in which an IIS attack (for instance, the printer ISAPI buffer overflow used by code red) is launched through a web connection. the IIS server starts the connection and then gets hacked, and never makes it to the point in its workflow at which it writes its log into the access log file. if rainer's done what i assume he's done (ie. what we talked about last year) (where the hell did that year go?), this application enables the ability to write a logfile entry at various points of the IIS workflow to improve an administrator's ability to monitor the server at critical points. of course, this would be very useful for a programmer too, but alas programmers have never been my main audience. me and my ol' sys admin bias... Rainer, did that article we were working on ever get posted anywhere? tbird _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Mon Dec 15 2003 - 22:22:19 PST