How To Block logging of 405's to Event Log?
I've got a webserver accessible to the outside world that comes under constant vulnerability scans, many of which involve accessing .exe filetypes.
When any of these scans are made, not a 404, but a 405 error message is generated.
Each 405 is stored in the event log, clogging up the eventlog and making it difficult to search for useful information.
Is there any way to block 405 error messages from being put into the event log or perhaps a way to force a 404 error message in such cases?
I do use some CGIs so altering .exe in mime.types won't do. I'm running win2k adv. server.
-R
The customary way to force the server to return a 404 for an arbitrary resource is to use the deny-existence SAF. However, deny-existence will itself log a message each time a "denied" resource is requested, so this probably isn't what you want.
Fortunately, there are numerous ways to address the issue. One possibility is redirecting accesses to these resources elsewhere, e.g. to your web site's front page. The following 3 lines could be added to the end of obj.conf to redirect requests for URIs that end in "/system32/cmd.exe":
<Object ppath="*/system32/cmd.exe">
NameTrans fn="redirect" from="/" url="/"
</Object>
Similar Messages
-
Date format in log/error messages with Server Event Log
Hi :)
I have some question.
Current Date is printed at tterrors/ttmesg log files to add with "-showdate" option at $TIMESTEN_HOME/info/ttendaemon.options file.
But date when the TimesTen Server Event Log output is not displayed.
How to solve these case?
====
ttmesg.log
====
2010-05-17 09:40:00.11 Info: : 7409: maind: done with request #433.1657
09:40:00.13 Info: SRV: 31875: EventID=16| Connect succeeded from client: ttwell01 (ttwell01); IP address: 218.234.33.27; Client PID: 31870; DSN: ntsdb; UID: timesten
2010-05-17 09:40:27.84 Info: : 7409: maind got #434.1658, hello: pid=32076 type=utility payload=%00%00%00%00 protocolID=TimesTen 7.0.5.9.0.tt7059 ident=%00%00%00%00
====
====
ttendaemon.options
====
# Commented values are default values
#-supportlog /home/TimesTen/tt7059/info/ttmesg.log
#-maxsupportlogfiles 10
#-maxsupportlogsize 0x100000
#-userlog /home/TimesTen/tt7059/info/tterrors.log
#-maxuserlogfiles 10
#-maxuserlogsize 0x100000
-showdate
-verbose
-oracle_home /home/oracle11g
# Start the TimesTen OracleConnect GUI
-webserver
-server 17593
====
OS
====
Red Hat Enterprise Linux AS release 4 (Nahant Update 5)
Thanks
GooGyumThis is an issue that was discussed internally very recently. BUG 9719650 - -SHOWDATE OPTION NOT ENABLED FOR SRV MESSAGES has been logged to track the issue.
-
How to write to windows event logs from determinations-server under IIS
This is just an FYI technical bit of information I wish someone had shared with me before I started trying to write OPA errors to the windows event log... Most problems writing to the windows event log from log4net occur because of permissions. Some problems are because determinations-server does not have permissions to create some registry entries. Some problems cannot be resolved unless specific registry entry permissions are actually changed. We had very little consistency with the needed changes across our servers, but some combination of the following would always get the logging to the windows event log working.
To see log4net errors as log4net attempts to utilize the windows event log, temporarily add the following to the web.config:
<appSettings>
<!-- uncomment the following line to send diagnostic messages about the log configuration file to the debug trace.
Debug trace can be seen when attached to IIS in a debugger, or it can be redirected to a file, see
http://logging.apache.org/log4net/release/faq.html in the section "How do I enable log4net internal debugging?" -->
<add key="log4net.Internal.Debug" value="true"/>
</appSettings>
<system.diagnostics>
<trace autoflush="true">
<listeners>
<add
name="textWriterTraceListener"
type="System.Diagnostics.TextWriterTraceListener"
initializeData="logs/InfoDSLog.txt" />
</listeners>
</trace>
</system.diagnostics>
To add an appender for the windows event viewer, try the following in the log4net.xml:
<appender name="EventLogAppender" type="log4net.Appender.EventLogAppender" >
<param name="ApplicationName" value="OPA" />
<param name="LogName" value="OPA" />
<param name="Threshold" value="all" />
<layout type="log4net.Layout.PatternLayout">
<conversionPattern value="%date [%thread] %-5level %logger [%property{NDC}] - %message%newline" />
</layout>
<filter type="log4net.Filter.LevelRangeFilter">
<levelMin value="WARN" />
<levelMax value="FATAL" />
</filter>
</appender>
<root>
<level value="warn"/>
<appender-ref ref="EventLogAppender"/>
</root>
To put the OPA logs under the Application Event Log group, try this:
Create an event source under the Application event log in Registry Editor. To do this, follow these steps:
1. Click Start, and then click Run.
2. In the Open text box, type regedit.
3. Locate the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application
4. Right-click the Application subkey, point to New, and then click Key.
5. Type OPA for the key name.
6. Close Registry Editor.
To put the OPA logs under a custom OPA Event Log group (as in the demo appender above), try this:
Create an event log in Registry Editor. To do this, follow these steps:
1. Click Start, and then click Run.
2. In the Open text box, type regedit.
3. Locate the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog
4. Right-click the eventlog subkey, point to New, and then click Key.
5. Type OPA for the key name.
6. Right-click the new OPA key and add a new DWORD called "MaxSize" and set it to "1400000" which is about 20 Meg in order to keep the log file from getting too large.
7. The next steps either help or sometimes cause an error, but you can try these next few steps... If you get an error about a source already existing, then you can delete the key.
8. Right-click the OPA subkey, point to New, and then click Key.
9. Type OPA for the key name.
10. Close Registry Editor.
You might need to change permissions so OPA can write to the event log in Registry Editor. If you get permission errors, try following these steps:
1. Click Start, and then click Run.
2. In the Open text box, type regedit.
3. Locate the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog
4. Right-click the EventLog key, select Permissions.
5. In the dialog that pops up, click Add...
6. Click Advanced...
7. Click Locations... and select the current machine by name.
8. Click Find Now
9. Select both the Network user and IIS_IUSERS user and click OK and OK again. (We never did figure out which of those two users was the one that fixed our permission problem.)
10. Change the Network user to have Full Control
11. Click Apply and OK
To verify OPA Logging to the windows event logs from Determinations-Server:
Go to the IIS determinations-server application within Server Manager.
Under Manage Application -> Browse Application click the http link to pull up the local "Available Services" web page that show the wsdl endpoints.
Select the /determinations-server/server/soap.asmx?wsdl link
Go to the URL and remove the "?wsdl" from the end of the url and refresh. This will throw the following error into the logs:
ERROR Oracle.Determinations.Server.DSServlet [(null)] - Invalid get request: /determinations-server/server/soap.asmx
That error should show up in the windows event log, OR you can get a message explaining why security stopped you in "logs/InfoDSLog.txt" if you used the web.config settings from above.
http://msdn.microsoft.com/en-us/library/windows/desktop/aa363648(v=vs.85).aspx
Edited by: Paul Fowler on Feb 21, 2013 9:45 AMThanks for sharing this information Paul.
-
How can I turn off Event ID 5156 AND 5145 in the Security Event Log?
Hi,
I have a high volume web service. Everytime there is a connection from the outside, it logs this in my security event log.
I want to turn this off.
How can I stop the logging of event id 5156 on the web server and 5145 on the file server?
Thanks!
Dane!Hi,
Thanks for posting in Microsoft TechNet forums.
The problem can be related to Audit settings. Please check the following threads to see if the information can be useful during the troubleshooting:
auditing file share on windows 2008 R2
http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/9e633bad-cda6-4ec4-8f04-c01de57ce767
Event ID 5156 filling up event logs. Probably due to anti-virus software (SEP 11)
http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/thread/8044fb62-f5ea-45b5-b717-3f6592af77e0
Regards
Kevin
TechNet Subscriber Support
If you are
TechNet Subscription user and have any feedback
on our support quality, please send your feedback here. -
Big Events.log in $COMMON_TOP/admin/log
Hello,
I have noticed there are always many logs in the $COMMON_TOP/admin/log. Apart from the concurrent managers logs etc, there are those Events.logs which can grow to any size as long as the apps keeps running.
New ones are however created upon restart of apps and I can clear the old ones.
I will like to reduce what is written to the Events.log so that they do not grow too big. Can someone let me how to do this or point me to an article on these logs?
RegardsI have found the solution I wanted and I think it may be useful to someone later and that is why I am posting this.
Those LARGE eventxx.logs under $COMMON_TOP/admin/log are Fulfillment Server logs and looking through them, I don't really know their benefits and I have been deleting them but I can swtich off the loggings now.
This is detailed in the metalink note ID 601375.1
I got this when I came across this link on the internet:
http://newappsdba.blogspot.com/2008/12/huge-eventslog-files-in-applcsfappllog.html
Regards
Edited by: user12191278 on 18-Jan-2010 05:24 -
Hi all,
We have almost 1500 clients (win7 system) in LAN environment and our requirement was we need to clear event logs older than 7 day's in all client system,
Pls confirm and group policy or script available for that.
Thanks, Mariappan ShanmugavelGreetings!
I am not sure if it is practical to have a script to search for old event logs and clear them. Also it may create performance issues because the event logs should be queried and check conditions for that, then move for removal process. Why not to use retention
for this? configure retention for 7 days and there will be no log older that that.
Event Logging policy settings in Windows Server 2008 and Vista
Regards.
Mahdi Tehrani |
|
www.mahditehrani.ir
Please click on Propose As Answer or to mark this post as
and helpful for other people.
This posting is provided AS-IS with no warranties, and confers no rights.
How to query members of 'Local Administrators' group in all computers? -
Hi everyone,
I have a very "interesting" que from my customer.
He is asking me how much disk space is needed for an event log. Just one event log. Because I told him that IPS itself has limited space for logs and to archive it, please use IME installed on a server.
Does anyone know how much disk space is taken up for a single event log? LOL
RegardsThere is no fixed size. Different types of events will contain more or less data. If you turn on packet captures, the size will be much larger as well.
- Bob -
Allow Non-Administrator accounts to create event sources and write to event logs
We are setting up BizTalk 2013 in Windows Server 2012 and one of the requirements is to allow the service account to create sources and write in event logs (Application) of the BizTalk servers. We have found what it seems to be a simple solution for this
without giving service accounts local admin rights.
Give Full control for the following registry keys to the service accounts or groups to allow creating of event sources and write to event logs:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security
Note: when changing permissions for EventLog key, the child keys will inherit the permissions by default except Security key which must be done manually.
Initial tests using a .net test app seems to work as expected. New event sources are being created in the event logs and writing to the event logs after that works perfectly.
The above method has been deployed in production and this is the most suitable solution for us.Hi Keong6806,
Thanks a lot for posting and sharing here.
Do you have any other questions regarding this topic? If not I would change the type as 'Discussion' then.
Best Regards,
Elaine
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] -
LocalDrive, remoteDrive error being logged to Windows Application event log
Post Author: yday
CA Forum: Data Integration
Hi all,We are finding the following error messages being constantly logged to the Windows application event log:Event ID: 4096Source: Data Integrator"The error: localDrive: LocalDrive1; localDriveValue: "andEvent ID: 4096
Source: Data Integrator
"The error: remoteDrive: RemoteDrive1; remoteDriveValue: "Another user noted as having the same problem in the old BO Support Forum:http://support.businessobjects.com/forums/message.asp?fid=568&mid=171195 We are also running Data Quality XI R2 (11.5.1.0) on the same server. This problem has been happening for as long as I can remember. It does not appear to cause any jobs to fail, but we would like to resolve this to prevent error messages being logged to computer management. Can anyone suggest a solution? Product: Data Integrator XI R2
Version: 11.7.0.0
Patches Applied: None
Operating System(s): Windows Server 2003 w SP1
Database(s): Oracle 10gR2
Error Messages: remoteDrive, localDrive error (as above)Steps to Reproduce: Restart the job server and the error appearsThanks and regards,York DAYPost Author: yday
CA Forum: Data Integration
Ben,
I have just installed DI 11.7.2.0 and it is still an issue! The bug has not been listed in the release notes in either the resolved issues section, or the known issues section.
Australia support told me it would be fixed in the next service release. This was well before 11.7.2.0 was released.
I've opened another support case as I closed the last one, believing it was resolved. From our perspective, it is not even being shown as a known issue with the product at this stage - so I will be keeping my support issue open this time until I see it is fixed.
My support case number is 302810798 FYI.
Rgds,York -
LYNC 2013 Event Logging Parameters for LYNC server logs
Hi,
We have LYNC server 2013 enterprise voice. We have third party Monitoring server to monitor the event logging.
Do we have default event logging parameters for LYNC Server logs in LYNC 2013?
Thanks
jitenderThere's really just the default level of logging for Lync Server Event Logs. For individual call troubleshooting you might use the debug logger, and for longer term troubleshooting you'd deploy the Lync Monitoring role. The monitoring role, service
status, and performance monitor counters are what you really want to be monitoring if you're watching your Enterprise Voice deployment.
If I understand the question, there isn't a way to turn up the amount of logs generated in the Lync event logs or change parameters around this.
Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
SWC Unified Communications -
WSA s170 - How to block skype and download
Hi,
I recently changed my proxy solution from BlueCoat ProxySG to Cisco WSA but I'm finding some difficulties to operate the appliance.
a - I can't have multiple defaults route
b - How can I block skype traffic?
c - How can I block download
d - No graphical interface for logging
I hope some here can help me. Because I don't know yet if it was a good choice change the solution that used to work like a charm.
If some one can also point the other good things I can do with this appliance should be good.
Best regards,
AlcidesIt sounds like it may be best for you to reach out to the sales person that sold you this appliance. But some quick answers for you:
a) You can go to Network > Routes. You can set routes based on destinations. What exactly are you trying to do with multiple default routes? Are you trying to get some kind of fail-over setup? If so, this cannot be done. You can contact TAC and ask that they submit a feature request for this.
b) Skype can be blocked by the WSA, but after Skype determines that it cannot logon via port 80 or 443, it will start trying every port ever existed until it gets access. Are you ready to block all other ports at the firewall?
c) You can block a download by file types under Access Policies > Mime Type.
d) There is web tracking. But if you want to view live logs in the GUI, that is not available. Consider contacting TAC and asking for a feature request as well.
It sounds like you are very used to the Bluecoat. Different products will have different features. -
How to block yahoo new messenger option in mail beta
Hi,
Anyone know how to block yahoo's new option of messenger being in the
yahoo mail beta? I know we could just block access to yahoo mail, but
that hasn't been a real problem at this point (according to our logs
anyway) but now that messenger has been added there, it certainly could
become a problem.
Have already blocked webmessenger for yahoo and msn, are there others
now? we have the other general blocks for the clients (port
redirections etc)
Thank you,
MikeMike,
It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.
Has your problem been resolved? If not, you might try one of the following options:
- Do a search of our knowledgebase at http://support.novell.com/search/kb_index.jsp
- Check all of the other support tools and options available at
http://support.novell.com.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://support.novell.com/forums)
Be sure to read the forum FAQ about what to expect in the way of responses:
http://support.novell.com/forums/faq_general.html
If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.
Good luck!
Your Novell Product Support Forums Team
http://support.novell.com/forums/ -
how to block an email address from sending me email?
Try this link
My Verizon Online Sign In - Verizon Wireless
Otherwise search for internet spam blocking in the I Want To box once logged in
There are check boxes for block all text messages sent from email and block all text messages sent from web.
Or you can block specific email addresses if you think that would work for your situation. -
i m Al thaf my iPhone 4s is lost how to block total e tideways this career at&t unlock i m sent in sri lanka this dwayside active thes phone ime:013030000145542 pls help me
So the bottom line is, you've run into Activation Lock. You have no options other than to get those original credentials. (I have to admit I did not read your too-long story) You don't need his password, he just needs to log into icloud.com with his credentials and remove the device in question from Find My iPhone.
http://support.apple.com/kb/PH13695 -
How to block on account payment for certain user
Dear All,
We are looking to implement a policy on how to block certain users not to be able to take on account payment. One more query is it possible to disable a field. I want to disable the field "Payment on account" in the Incoming Payments. Please adviceHi,
Sue below code in transaction notification procedure,Change userid =1 to user id for user ou want to block payment on account
IF @Object_type = N'24' and @transaction_type = N'A'
BEGIN
if exists (SELECT ORCT.DocEntry from ORCT
WHERE (ORCT.PayNoDoc='Y' and ORCT.UserSign=1) and ORCT.DocEntry = @list_of_cols_val_tab_del
begin
select @error =14
select @error_message = 'Cannot make on account payments '
end
END
Thanks,
Neetu
Maybe you are looking for
-
I dont think ill be using windows for much more than revit and autocad (i use autocad on the mac side, but just in case), but i want to make sure I am not going to have a problem in the future. I am a grad student in interior design, and have access
-
just bought a 6d. was shooting Multiple Exposures, then disabled it to shoot normal but the feature was not disabled. it still is shooting Multipe Exposures. feel trapped . help. how do i get out of it or is it a camera defect? thanks for any help to
-
hi, i want to do sap sd training through e-learning.can any one suggests me is it worth while to get trained through e-learning ? thank you. regards, suresh.
-
Invalid Column Error while Adding Matrix
Hi, I am getting an error Invalid Column 66000-16 while adding line to my matrix, can you tell what i am doing wrong here... Private Sub Addline(ByVal oMatrix As SAPbouiCOM.Matrix) 'ByVal strTab As String Try If (oForm.Mode <> SAP
-
0RT_PA_TRAN_CONTROL - Not able to display in RSA6
Hi , I am having issues with this datasource. I want to delete it and reinstall it again. But to delete or to display in RSA6 , the system gives currency errors. Saying TRANSCURENY is a hidden field for DISCAMT etc. Have you come across this kind of