Export (0) Print
Expand All

Web proxy log fields

Updated: February 1, 2011

Applies To: Forefront Threat Management Gateway (TMG)

The following table lists the fields that you can include in the Forefront TMG Web Proxy log entries. Note that, in Forefront TMG log format, if a field is disabled, it will appear in the log with a hyphen (-). In World Wide Web Consortium (W3C) log file format, the field will not appear. The Bit number column refers to the position in the Forefront TMG file format.

 

Bit number Field name (log viewer) Field name (SQL Server log format and SQL Server Express log format) Field name (W3C) Description

0

Client IP

ClientIP

c-ip

The IP address of the requesting client.

1

Client Username

ClientUserName

cs-username

The user account making the request. A question mark (?) indicates that the user name was sent but the user was not authenticated by Forefront TMG. If Forefront TMG access control is not being used, Forefront TMG uses Anonymous.

2

Client Agent

ClientAgent

c-agent

The name and version of the client application sent in the HTTP User-Agent header. When Forefront TMG is actively caching, this field is set to Forefront TMG.

 3

Authenticated Client

ClientAuthenticate

sc-authenticated

Indicates whether the client has been authenticated with the Forefront TMG computer. Possible values are Y and N.

  4

Log Date

logTime

date

The date on which the logged event occurred. In the SQL Server Express format, both the date and the local time are included in the single logTime field, and the bits for both the date and time fields must be set.

  5

Log Time

logTime

time

The local time when the logged event occurred. In the W3C extended file format and in ODBC-compliant SQL Server databases, this time is in Coordinated Universal Time (UTC). In the SQL Server Express format, both the date and the local time are included in the single logTime field, and the bits for both the date and time fields must be set.

  6

Service

service

s-svcname

The type of service that logged this record. This may be Proxy or Reverse Proxy.

  7

Server Name

servername

s-computername

The name of the Forefront TMG server.

  8

Referring Server

referredserver

cs-referred

Reserved for future use.

  9

Destination Host Name

DestHost

r-host

The domain name for the remote computer that provides service to the current request. A hyphen (-) in this field may indicate that an object was retrieved from the local cache and not from the destination.

10

Destination IP

DestHostIP

r-ip

The network IP address of the remote computer that provides service to the current connection. A hyphen (-) in this field may indicate that an object was sourced from the local cache and not from the destination. One exception is negative caching. In that case, this field contains a destination IP address for which a negative cached object was returned.

11

Destination Port

DestHostPort

r-port

The port number on the target computer that provides service to the current connection.

12

Processing Time

processingtime

time-taken

The total time, in milliseconds, that Forefront TMG took to process the current request. It measures the time elapsed from the time when the server first receives the request to the time when final processing occurs on the server—when results are returned to the client. For cache requests that are processed through Web Proxy filter, the processing time measures the elapsed server time needed to fully process a client request and return an object to the client.

13

Bytes Received

bytesrecvd

cs-bytes

The number of bytes sent from the remote computer and received by the client during the current request. A hyphen (-), or a zero (0) in this field indicates that this information was not provided by the remote computer or that no bytes were received from the remote computer.

14

Bytes Sent

bytessent

sc-bytes

The number of bytes sent from the client to the remote computer during the current connection. A hyphen (-), a zero (0), or a negative number in this field indicates that this information was not provided by the remote computer or that no bytes were sent to the remote computer.

15

Protocol

protocol

cs-protocol

The application protocol used for the connection. Common values are HTTP, HTTPS, and FTP.

16

Transport

transport

cs-transport

The transport protocol used for the connection. This is always TCP for Web requests.

17

HTTP Method

operation

s-operation

The HTTP method used. Common values are GET, PUT, POST, and HEAD.

18

URL

uri

cs-uri

The URL requested.

19

MIME Type

mimetype

cs-mime-type

The MIME type for the current object. This field may also contain a hyphen (-) to indicate that this field is not used or that a valid MIME type was not defined for the current object.

20

Object Source

objectsource

s-object-source

The type of source that was used to retrieve the current object. A table of some possible values is provided in Web proxy object source log values.

21

HTTP Status Code

resultcode

sc-status

A Windows (Win32®) error code (for values less than 100), an HTTP status code (for values between 100 and 1,000), a Winsock error code (for values between 10,004 and 11,031), or a Forefront TMG error code. A table of some possible values is provided in Result code log values.

22

Cache Information

CacheInfo

s-cache-info

A number reflecting the cache status of the object, which indicates the reasons why the object was or was not cached. The number logged is the sum of the values for all the conditions that are met. A table of the possible values is provided in Web proxy cache log values.

23

Rule

Rule

rule

The rule that either allowed or denied access to the request, as follows:

If an outgoing request was allowed, this field indicates the access rule that allowed the request.

If an outgoing request was denied by a policy rule, this field indicates the access rule that blocked the request.

If an incoming request was denied by a policy rule, this field indicates the Web publishing or server publishing rule that denied the request.

If Forefront TMG denied the connection for any reason other than a policy rule (for example due to an intrusion attempt or exceeding a flood resiliency threshold) this field contains a hyphen (-), and the Result Code field (bit 21) indicates the reason.

24

Filter Information

FilterInfo

FilterInfo

Information supplied by a Web filter. For example, if HTTP Filter rejected a request, this field contains the reason for the rejection.

25

Source Network

SrcNetwork

cs-Network

The network from which the request originated.

26

Destination Network

DstNetwork

sc-Network

The network for which the request was destined.

27

Error information

ErrorInfo

error-info

A 32-bit bitmask that provides additional information about the request that can help identify the source of the error if an error occurred. A table of the possible bit fields is provided in Web proxy error log values.

28

Action

Action

action

The action performed by the Microsoft Firewall Service for the current session or connection. The possible values are defined in the FpcAction enumerated type.

29

GMT Log Time

GmtLogTime

GmtLogTime

The date and time in Coordinated Universal Time (UTC) when the log entry was made.

30

Authentication Server

AuthenticationServer

AuthenticationServer

The name of the authentication server.

31

NIS Scan Result

ipsScanResult

NIS scan result

The result of NIS scanning of the traffic or the connection (inspected/detected/blocked).

32

NIS Signature

ipsSignature

NIS signature

The NIS signature detected that resulted in the traffic been blocked.

33

Threat Name

ThreatName

ThreatName

The string describing the threat.

34

Malware Inspection Action

MalwareInspectionAction

MalwareInspectionAction

Describes the action performed on the inspection content. Possible values are Allowed, Cleaned or Blocked.

35

Malware Inspection Result

MalwareInspectionActionResult

MalwareInspectionActionResult

Describes the outcome of the malware inspection process. Possible values include:

No Violation Detected

Low and Medium Level Threats Not Blocked

Infected File

Suspicious File

Encrypted File

Maximum Archive Nesting Exceeded

Maximum Size Exceeded

Maximum Unpacked File Size Exceeded

Unknown Encoding

Corrupted File

Time Out

Storage Space Limit Exceeded

Unknown

Malware Inspection Disabled

Malware Inspection Disabled for the Matching Policy Rule

Malware Inspection Disabled for the Matching Web Chaining Rule

Destination Included in Malware Inspection Exceptions List

Response Originated from Proxy Server

Request Served by Malware Inspection Web Filter

Request/Response Pair Identified as Exempted Protocol Message

Response Identified as a 200 Response to a CONNECT Request

Response Scanned Before Being Routed by CARP (this is not relevant for Forefront TMG in the Essential Business Server scenario.

36

URL Category

UrlCategory

UrlCategory

Specifies the URL category that is assigned to the requested URL.

37

Content Delivery Method

MalwareInspectionContentDeliveryMethod

MalwareInspectionContentDeliveryMethod

Specifies whether users were informed by trickling partial content, or progress notifications.

38

UAG Array Id

UagArrayId

UAG Array ID

The array name of the message's array context.

39

UAG Version

UagVersion

Not in use.

40

UAG Module Id

UagModuleId

UAG module name

The name of the module that produced the message.

41

UAG Id

UagId

Not in use.

42

UAG Severity

UagSeverity

UAG message severity

The message severity (Error, Warning, Information, Notice).

43

UAG Type

UagType

Type of message

The type of the message (Security, Application, System, Session).

44

UAG Event Name

UagEventName

Not in use.

45

UAG Session Id

UagSessionId

UAG session ID

The ID of the session which is the context of the message.

46

UAG Trunk Name

UagTrunkName

UAG trunk name

The name of the trunk which is the context of the message.

47

UAG Service Name

UagServiceName

UAG service name

The name of the UAG service that generated the message.

48

UAG Error Code

UagErrorCode

UAG message ID

Specifies the UAG message ID.

49

Malware Inspection Duration (msec)

MalwareInspectionDuration

MalwareInspectionDuration

Specifies the inspection duration in milliseconds. If content is not inspected, 0 is shown. Inspected content shows a minimum value of 1.

50

Threat Level

MalwareInspectionThreatLevel

MalwareInspectionThreatLevel

Shows the threat level. Possible values include:

Low

Medium

High

Severe

51

Internal Service Info Log Fields

InternalServiceInfo

internal-service-info

Internal

52

NIS Application Protocol

ipsApplicationProtocol

NIS application protocol

The application protocol in which NIS detected the signature.

53

NAT Address

NATAddress

NAT Address

Public IP address used as a source IP for outbound traffic.

54

URL Categorization Reason

UrlCategorizationReason

UrlCategorizationReason

The reason for the URL categorizations.

Possible values include:

For successful categorizations:

From overrides

From cache

From Web service

For unknown:

Feature disabled

Not in database

Connection error

Web service down

License expired

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft