لطفا منتظر باشید ...
Lesson 1 Configuring Alerts
The ISA Server alert service is responsible for capturing events, checking whether certain conditions are met, and taking appropriate action. You can use ISA Management to view the full list of events supplied with ISA Server and to configure which actions should be triggered when any of these events occur.
After this lesson, you will be able to
View ISA Server events in Event Viewer
View ISA Server alerts in ISA Management
Configure an alert condition, location, threshold, and action
Estimated lesson time: 35 minutes
Preconfigured Alerts
By default, ISA Server includes 45 alerts, 39 of which are enabled. You can view this list of alerts in ISA Management by selecting the Alerts folder in the Monitoring Configuration node, as shown in Figure 9.1.
Figure 9.1 Preconfigured alerts in ISA Server
Follow these steps to enable an alert:
In the console tree of ISA Management, expand the Monitoring Configuration node and click the Alerts folder.
In the details pane, right-click the appropriate alert, and then click Enable.
Each alert specifies an event. Every enabled alert is configured by default to report the specified event to the Windows 2000 Event Log. These events can be seen in Event Viewer's Application Log. Figure 9.2 shows sample ISA Server events visible in the Windows 2000 Event Log.
You can also view ISA Server events in the Alert folder of the Monitoring node in ISA Management. However, ISA Management only shows the first occurrence of an event since the previous shutdown. For complete information about ISA Server events, use Event Viewer.
Figure 9.2 ISA Server alerts in Event Viewer
You can create a new alert or modify any of the pre-existing alerts. New alerts are created by using the New Alert wizard.
Follow these steps to create an alert:
In the console tree of ISA Management, expand the Monitoring Configuration node.
Right-click the Alerts folder, point to New, and then click Alert.
When the New Alert wizard opens, follow the on-screen instructions.
Alert Conditions
New alerts are based on existing alerts, but they normally include an additional, more specific condition that must be met. For example, the Domain Name System (DNS) Intrusion alert normally has the Any DNS Intrusion condition specified as the additional condition. However, you can create an alert called Hostname Overflow based on the DNS Intrusion alert. To create this alert, you select DNS Intrusion as the alert event and select Hostname Overflow as the additional condition, as shown in Figure 9.3.
You can also modify the alert condition of any preconfigured alert.
Figure 9.3 Creating a Host Overflow alert
Follow these steps to modify an alert condition:
In the console tree of ISA Management, expand the Monitoring Configuration node and click the Alerts folder.
In the details pane, right-click the applicable alert and then click Properties.
On the Events tab,
In the Event drop-down list box, click the event that triggers the alert.
If the event needs an additional key, in the Additional Condition drop-down list box, click the condition.
In the By Server drop-down list box, click the server in the array for which the alert should be triggered or leave it at the default of <Any> if it should apply to all array members.
Event Location
You can also configure a new alert that includes the same event and additional condition as one of the pre-existing alerts, but that limits the detection of the event to a particular server in the array. The computer on which an event is detected is known as the event location. All pre-existing alerts by default specify the event location as any server on the array. However, you can always re-configure the event location of an alert as one particular server, so that the alert will trigger only when the event occurs on the server you choose.
Event Thresholds
Once an alert is configured, you can modify the alert by specifying the following thresholds, which determine when the alert action should be performed:
How many times per second the event should occur before issuing an alert (also called the event frequency threshold)
How many events should occur before the alert is issued
How long to wait before issuing the alert again
You can modify the threshold on the Events tab of an alert's Properties dialog box, as shown in Figure 9.4.
Figure 9.4 Modifying thresholds
Follow these steps to configure an alert threshold:
In the console tree of ISA Management, expand the Monitoring Configuration node and click the Alerts folder.
In the details pane, right-click the applicable alert, and then click Properties.
On the Events tab, select the Number Of Occurrences Before The Alert Is Issued check box, and type how many events should occur before the alert is issued.
Select the Number Of Events Per Second Before The Alert Is Issued check box, and type how many events should occur per second before the alert is issued.
Select one of the following options:
If the alert should be reissued immediately if the event recurs, click the Immediately radio button.
If the alert should be reissued only after the alert is reset, click After Manual Reset Of Alert radio button.
If the alert should be reissued after a specified amount of time, click If Time Since Last Execution Is More Than <number> Minutes radio button, and then type the number of minutes that should elapse before the action should be performed.
Alert Action
You can set one or more of the following actions to be performed when an alert condition is met:
Send an e-mail message.
Run a specific program.
Log the event in the Windows 2000 Event Log.
Stop or start any ISA Server service: Firewall service, Web Proxy service, or Scheduled Content Download service.
When you configure an alert to run a specific program, you can specify which credentials should be used when an application is executed. Be sure that the specified user has Logon As A Batch Job privileges. Use the Local Security Policy to configure user privileges. When the alert action is to run a program, the path specified for the command action must exist on all servers in the array. Use environment variables (such as %SystemDrive%) within the path name so if the application path is different from one array member to the next, the environment variable will be able to locate the program.
You can set an alert action either when you run the New Alert wizard or when you modify the settings on the Actions tab of the alert's Properties dialog box, as shown in Figure 9.5.
Figure 9.5 Configuring an alert action
Follow these steps to modify an alert action:
In the console tree of ISA Management, expand the Monitoring Configuration node and click the Alerts folder.
In the details pane, right-click the applicable alert, and then click Properties.
On the Actions tab,
To send an e-mail when the alert condition occurs, click the Send E-mail check box, and then type the name of the Simple Mail Transfer Protocol (SMTP) server, recipient, and sender.
To run an application when the alert condition occurs, click the Program check box, and then type the command to run at a command prompt and the account from which to run the program.
To log the event, click the Report To Windows 2000 Event Log check box.
To stop ISA Server, click the Stop Selected Services check box, and then click the Select button to select which ISA Server services to stop when the alert condition occurs.
To start ISA Server, click the Start Selected Services check box, and then click the Select button to select which services to start when the alert condition occurs.
If you configure an e-mail action to use an external SMTP server, you must create a static packet filter that allows the SMTP protocol.
ISA Server Events
Table 9.1 lists the events and, where relevant, additional keys that are defined by ISA Server. When you create an alert, you specify one of the following events that triggers the alert.
Table 9.1 ISA Server Events
| Need Table Heads? | |
|---|---|
| Alert action failure | The action associated with this alert failed. |
| Asymmetric installation | A component that was configured for the array is missing on this server. <%user friendly component identification%> |
| Cache container initialization error | The cache container initialization failed and the container was ignored. |
| Cache container recovery complete | The recovery of a single container was completed. |
| Cache file resize failure | There was a failure to reduce the cache file size. |
| Cache initialization failure | The Web cache proxy was disabled because of global failure. |
| Cache recovery completed | The cache content recovery was completed. |
| Cache write error | There was a failure to write cached content to the cache. |
| Cached object ignored | During cache recovery, an object with conflicting information was detected. The object was ignored. |
| Client/server communication failure | Communication between the Firewall client and the Firewall service of ISA Server failed. |
| Component load failure | There was a failure to load an extension component. <%module name%> |
| Configuration error | The ISA Server configuration is invalid <%storage path%>. |
| Dial on demand failure | There was a failure to create a dial-on-demand connection, because there is no answer or the line is busy. |
| DNS Intrusion | A host name overflow, length overflow, zone high port, or zone transfer attack occurred. |
| Event logging failure | There was a failure to log the event information to the system event log. |
| Failed to retrieve object | The object <URL> could not be loaded. <error> |
| Intra-array credentials | The intra-array credentials were incorrect. |
| Intrusion detected | An external user attempted an intrusion attack. |
| Invalid dial-on-demand credentials | Invalid dial-on-demand credentials were detected. |
| Invalid ODBC log credentials | The specified user name or password for this Open Database Connectvity (ODBC) database is invalid. |
| IP packet dropped | An Internet Protocol (IP) packet that is not allowed by the policy was dropped. |
| IP Protocol violation | A packet with invalid IP options was detected and dropped. |
| IP Spoofing | The IP packet source address is not valid. |
| Log failure | <service name> log failed. |
| Network configuration changed | A network configuration change that affects ISA Server was detected. |
| OS component conflict | There is a conflict with one of the operating system components: NAT editor, ICS, or Routing and Remote Access. |
| Oversize UDP packet | ISA Server dropped a User Datagram Protocol (UDP) packet because it exceeded maximum size, as specified in the registry key. |
| POP Intrusion | ISA Server detected a Post Office Protocol (POP) buffer overflow. |
| Report Summary Generation Failure | ISA Server received an error while generating a report summary from log files. |
| Resource allocation failure | There was a resource allocation failure, for example, the system ran out of memory. |
| RPC filter - server connectivity changed | The connectivity to the publishing RPC service <server name> changed. <additional key> |
| Server Publishing Failure | The server publishing rule cannot be applied. |
| Service Initialization failure | There was a service initialization failure. |
| Service not responding | An ISA Server service terminated or stopped functioning unexpectedly. |
| Service shutdown | A service stopped properly. <%service name%> |
| Service started | A service started properly. <%service name%> |
| SMTP Filter Event | A SMTP filter event occurred. |
| SOCKS configuration failure | The port specified in SOCKS properties is in use by another protocol. |
| SOCKS request was refused | A SOCKS request was refused due to policy violation. |
| The server is out of array's site | All members of the array must be in the same site, but this server is in a different site. |
| Unregistered event | An unregistered event was raised. The event internal ID is %1. |
| Upstream chaining credentials | The upstream chaining credentials are incorrect. |
| Web Proxy routing failure | The Web Proxy service of ISA Server failed to route the request to an upstream proxy server. |
| Web Proxy routing recovery | Web Proxy resumed routing to an upstream proxy server. |
| WMT live stream splitting failure | The streaming application filter encountered an error during Windows Media Technology (WMT) live stream splitting. |
Practice: Configuring an Alert to Send an E-mail Message
In this exercise, you modify the Intrusion Detected alert to send you an e-mail message whenever an external intrusion of your network is detected by ISA Server.
To configure the Intrusion Detected alert to send you an e-mail message
Log on to Server1 as Administrator.
Open ISA Management, and expand the Monitoring Configuration node.
Select the Alerts folder.
In the details pane, right-click the Intrusion Detected alert and click Properties.The Intrusion Detected Properties dialog box appears.
Click the Actions tab.
Click the Send E-mail check box.
In the SMTP Server text box, type server2.domain01.local.
In the To text box, type testuser@server2.domain01.local.
In the From text box, type testuser@server2.domain01.local.
Click the Test button.You receive a message box indicating that the simulation was completed successfully.
Click OK.
In the Intrusion Detected Properties dialog box, click OK.After a few minutes, you should receive your test e-mail. This indicates that the service is working properly.
Lesson Summary
By default, ISA Server includes 45 alerts, 39 of which are enabled. Each alert specifies an event and four properties, including the alert condition, the event location, the alert threshold, and the alert actions.
Alert conditions refer to the conditions that trigger an alert. Many predefined alerts, such as the DNS Intrusion alert, are triggered by default when any of a set of listed conditions occurs. However, you can configure a more specific alert that selects just one of these particular conditions as the basis for the alert.
The event location is the server on which the event must be located for the alert to be triggered. By default, all predefined alerts specify that the specified event can occur on any ISA Server computer for the alert to be triggered. However, you may specify a particular ISA Server computer as the location for the alert event.
The alert actions determine what action will be taken when the alert is triggered. By default, all alerts only report the specified event to the Windows 2000 Event Log. However, you can also configure an alert to send an e-mail, to run a specified program, and to start or stop specified ISA Server services.
Alert thresholds determine the number of times the alert condition needs to occur before the alert action should be performed, and they also determine how long ISA Server should wait before performing the action again. By default, alerts specify that the alert condition only needs to occur once for an alert action to take place, and that the alert action should take place immediately.
You can view and modify all defined alerts in the Alerts folder in the Monitoring Configuration node of ISA Management.
