Web proxy log fields
Applies To: Forefront Threat Management Gateway (TMG)
The following table lists the fields that you can include in the Forefront TMG Web Proxy log entries. Note that, in Forefront TMG log format, if a field is disabled, it will appear in the log with a hyphen (-). In World Wide Web Consortium (W3C) log file format, the field will not appear. The Bit number column refers to the position in the Forefront TMG file format.
| Bit number | Field name (log viewer) | Field name (SQL Server log format and SQL Server Express log format) | Field name (W3C) | Description |
|---|---|---|---|---|
0 |
Client IP |
ClientIP |
c-ip |
The IP address of the requesting client. |
1 |
Client Username |
ClientUserName |
cs-username |
The user account making the request. A question mark (?) indicates that the user name was sent but the user was not authenticated by Forefront TMG. If Forefront TMG access control is not being used, Forefront TMG uses Anonymous. |
2 |
Client Agent |
ClientAgent |
c-agent |
The name and version of the client application sent in the HTTP User-Agent header. When Forefront TMG is actively caching, this field is set to Forefront TMG. |
3 |
Authenticated Client |
ClientAuthenticate |
sc-authenticated |
Indicates whether the client has been authenticated with the Forefront TMG computer. Possible values are Y and N. |
4 |
Log Date |
logTime |
date |
The date on which the logged event occurred. In the SQL Server Express format, both the date and the local time are included in the single logTime field, and the bits for both the date and time fields must be set. |
5 |
Log Time |
logTime |
time |
The local time when the logged event occurred. In the W3C extended file format and in ODBC-compliant SQL Server databases, this time is in Coordinated Universal Time (UTC). In the SQL Server Express format, both the date and the local time are included in the single logTime field, and the bits for both the date and time fields must be set. |
6 |
Service |
service |
s-svcname |
The type of service that logged this record. This may be Proxy or Reverse Proxy. |
7 |
Server Name |
servername |
s-computername |
The name of the Forefront TMG server. |
8 |
Referring Server |
referredserver |
cs-referred |
Reserved for future use. |
9 |
Destination Host Name |
DestHost |
r-host |
The domain name for the remote computer that provides service to the current request. A hyphen (-) in this field may indicate that an object was retrieved from the local cache and not from the destination. |
10 |
Destination IP |
DestHostIP |
r-ip |
The network IP address of the remote computer that provides service to the current connection. A hyphen (-) in this field may indicate that an object was sourced from the local cache and not from the destination. One exception is negative caching. In that case, this field contains a destination IP address for which a negative cached object was returned. |
11 |
Destination Port |
DestHostPort |
r-port |
The port number on the target computer that provides service to the current connection. |
12 |
Processing Time |
processingtime |
time-taken |
The total time, in milliseconds, that Forefront TMG took to process the current request. It measures the time elapsed from the time when the server first receives the request to the time when final processing occurs on the server—when results are returned to the client. For cache requests that are processed through Web Proxy filter, the processing time measures the elapsed server time needed to fully process a client request and return an object to the client. |
13 |
Bytes Received |
bytesrecvd |
cs-bytes |
The number of bytes sent from the remote computer and received by the client during the current request. A hyphen (-), or a zero (0) in this field indicates that this information was not provided by the remote computer or that no bytes were received from the remote computer. |
14 |
Bytes Sent |
bytessent |
sc-bytes |
The number of bytes sent from the client to the remote computer during the current connection. A hyphen (-), a zero (0), or a negative number in this field indicates that this information was not provided by the remote computer or that no bytes were sent to the remote computer. |
15 |
Protocol |
protocol |
cs-protocol |
The application protocol used for the connection. Common values are HTTP, HTTPS, and FTP. |
16 |
Transport |
transport |
cs-transport |
The transport protocol used for the connection. This is always TCP for Web requests. |
17 |
HTTP Method |
operation |
s-operation |
The HTTP method used. Common values are GET, PUT, POST, and HEAD. |
18 |
URL |
uri |
cs-uri |
The URL requested. |
19 |
MIME Type |
mimetype |
cs-mime-type |
The MIME type for the current object. This field may also contain a hyphen (-) to indicate that this field is not used or that a valid MIME type was not defined for the current object. |
20 |
Object Source |
objectsource |
s-object-source |
The type of source that was used to retrieve the current object. A table of some possible values is provided in Web proxy object source log values. |
21 |
HTTP Status Code |
resultcode |
sc-status |
A Windows (Win32®) error code (for values less than 100), an HTTP status code (for values between 100 and 1,000), a Winsock error code (for values between 10,004 and 11,031), or a Forefront TMG error code. A table of some possible values is provided in Result code log values. |
22 |
Cache Information |
CacheInfo |
s-cache-info |
A number reflecting the cache status of the object, which indicates the reasons why the object was or was not cached. The number logged is the sum of the values for all the conditions that are met. A table of the possible values is provided in Web proxy cache log values. |
23 |
Rule |
Rule |
rule |
The rule that either allowed or denied access to the request, as follows: If an outgoing request was allowed, this field indicates the access rule that allowed the request. If an outgoing request was denied by a policy rule, this field indicates the access rule that blocked the request. If an incoming request was denied by a policy rule, this field indicates the Web publishing or server publishing rule that denied the request. If Forefront TMG denied the connection for any reason other than a policy rule (for example due to an intrusion attempt or exceeding a flood resiliency threshold) this field contains a hyphen (-), and the Result Code field (bit 21) indicates the reason. |
24 |
Filter Information |
FilterInfo |
FilterInfo |
Information supplied by a Web filter. For example, if HTTP Filter rejected a request, this field contains the reason for the rejection. |
25 |
Source Network |
SrcNetwork |
cs-Network |
The network from which the request originated. |
26 |
Destination Network |
DstNetwork |
sc-Network |
The network for which the request was destined. |
27 |
Error information |
ErrorInfo |
error-info |
A 32-bit bitmask that provides additional information about the request that can help identify the source of the error if an error occurred. A table of the possible bit fields is provided in Web proxy error log values. |
28 |
Action |
Action |
action |
The action performed by the Microsoft Firewall Service for the current session or connection. The possible values are defined in the FpcAction enumerated type. |
29 |
GMT Log Time |
GmtLogTime |
GmtLogTime |
The date and time in Coordinated Universal Time (UTC) when the log entry was made. |
30 |
Authentication Server |
AuthenticationServer |
AuthenticationServer |
The name of the authentication server. |
31 |
NIS Scan Result |
ipsScanResult |
NIS scan result |
The result of NIS scanning of the traffic or the connection (inspected/detected/blocked). |
32 |
NIS Signature |
ipsSignature |
NIS signature |
The NIS signature detected that resulted in the traffic been blocked. |
33 |
Threat Name |
ThreatName |
ThreatName |
The string describing the threat. |
34 |
Malware Inspection Action |
MalwareInspectionAction |
MalwareInspectionAction |
Describes the action performed on the inspection content. Possible values are Allowed, Cleaned or Blocked. |
35 |
Malware Inspection Result |
MalwareInspectionActionResult |
MalwareInspectionActionResult |
Describes the outcome of the malware inspection process. Possible values include: No Violation Detected Low and Medium Level Threats Not Blocked Infected File Suspicious File Encrypted File Maximum Archive Nesting Exceeded Maximum Size Exceeded Maximum Unpacked File Size Exceeded Unknown Encoding Corrupted File Time Out Storage Space Limit Exceeded Unknown Malware Inspection Disabled Malware Inspection Disabled for the Matching Policy Rule Malware Inspection Disabled for the Matching Web Chaining Rule Destination Included in Malware Inspection Exceptions List Response Originated from Proxy Server Request Served by Malware Inspection Web Filter Request/Response Pair Identified as Exempted Protocol Message Response Identified as a 200 Response to a CONNECT Request Response Scanned Before Being Routed by CARP (this is not relevant for Forefront TMG in the Essential Business Server scenario. |
36 |
URL Category |
UrlCategory |
UrlCategory |
Specifies the URL category that is assigned to the requested URL. |
37 |
Content Delivery Method |
MalwareInspectionContentDeliveryMethod |
MalwareInspectionContentDeliveryMethod |
Specifies whether users were informed by trickling partial content, or progress notifications. |
38 |
UAG Array Id |
UagArrayId |
UAG Array ID |
The array name of the message's array context. |
39 |
UAG Version |
UagVersion |
Not in use. |
|
40 |
UAG Module Id |
UagModuleId |
UAG module name |
The name of the module that produced the message. |
41 |
UAG Id |
UagId |
Not in use. |
|
42 |
UAG Severity |
UagSeverity |
UAG message severity |
The message severity (Error, Warning, Information, Notice). |
43 |
UAG Type |
UagType |
Type of message |
The type of the message (Security, Application, System, Session). |
44 |
UAG Event Name |
UagEventName |
Not in use. |
|
45 |
UAG Session Id |
UagSessionId |
UAG session ID |
The ID of the session which is the context of the message. |
46 |
UAG Trunk Name |
UagTrunkName |
UAG trunk name |
The name of the trunk which is the context of the message. |
47 |
UAG Service Name |
UagServiceName |
UAG service name |
The name of the UAG service that generated the message. |
48 |
UAG Error Code |
UagErrorCode |
UAG message ID |
Specifies the UAG message ID. |
49 |
Malware Inspection Duration (msec) |
MalwareInspectionDuration |
MalwareInspectionDuration |
Specifies the inspection duration in milliseconds. If content is not inspected, 0 is shown. Inspected content shows a minimum value of 1. |
50 |
Threat Level |
MalwareInspectionThreatLevel |
MalwareInspectionThreatLevel |
Shows the threat level. Possible values include: Low Medium High Severe |
51 |
Internal Service Info Log Fields |
InternalServiceInfo |
internal-service-info |
Internal |
52 |
NIS Application Protocol |
ipsApplicationProtocol |
NIS application protocol |
The application protocol in which NIS detected the signature. |
53 |
NAT Address |
NATAddress |
NAT Address |
Public IP address used as a source IP for outbound traffic. |
54 |
URL Categorization Reason |
UrlCategorizationReason |
UrlCategorizationReason |
The reason for the URL categorizations. Possible values include: For successful categorizations: From overrides From cache From Web service For unknown: Feature disabled Not in database Connection error Web service down License expired |