Log query parameters

The following table summarizes the criteria on which you can filter logs.

Filter by Condition Values and description

Action

(not applicable to Web Proxy log)

Equals

Not Equal

Not One Of

One Of

The action performed by the Firewall service for the current connection or session.

Possible values:

  • Allowed Connection
  • Closed Connection
  • Closed VPN Connection
  • Connection Status
  • Denied Connection
  • Failed Connection Attempt
  • Failed VPN Connection Attempt
  • Initiated Connection
  • Initiated VPN Connection
  • Quarantine Timeout
  • User Cleared Quarantine
  • User Quarantined

Authenticated Client (not applicable to Firewall log)

Equals

Not Equal

Indicates whether the client has been authenticated with Forefront TMG.

Possible values:

  • No or Yes

Authentication Server

Contains

Equals

Not Contains

Not Equal

Possible values:

  • Text or numeric value

Bidirectional (not applicable to Web Proxy log)

Equals

Not Equal

Indicates whether the traffic is send/receive.

Possible values:

  • No or Yes

Bytes Received

Greater or Equal

Less or Equal

The number of bytes sent from the destination computer and received by the client during the current connection. A hyphen (-), a zero (0), or a negative number in this field indicates that this information was not provided by the destination computer or that no bytes were received from the destination computer.

Possible values:

  • Numeric value only

Bytes Sent

Greater or Equal

Less or Equal

The number of bytes sent from the source client to the destination server during the current connection. A hyphen (-), a zero (0), or a negative number in this field indicates that this information was not provided by the destination computer or that no bytes were sent to the destination computer.

Possible values:

  • Numeric value only

Cache Information (not applicable to Firewall log)

Equals

Not Equal

This number reflects the cache status of the object, which indicates why the object was or was not cached. This field applies only to the Web Proxy log.

Client Agent

Contains

Equals

Not Contains

Not Equal

The client application type sent by the client in the HTTP header. For Microsoft Firewall service, this field includes information about the client's operating system.

Possible values:

Client IP

Equals

Greater or Equal

Less or Equal

Not Equal

Not One Of

One Of

The IP address of the requesting client.

Possible values:

  • IP address format

Client Username

Contains

Equals

Not Contains

Not Equal

The account of the user making the request. If Forefront TMG access control is not being used, Forefront TMG uses anonymous.

Possible values:

  • Numeric or text value

Content Delivery Method

Equals

Not Equal

Not One Of

One Of

Fast Trickling

Progress Notification

Standard Trickling

Destination Host Name

Contains

Equals

Not Contains

Not Equal

Not One Of

One Of

The domain name for the remote computer that provides service to the current connection. For the Web Proxy log, a hyphen (-) in this field may indicate that an object was retrieved from the cache and not from the destination.

Possible values:

  • Numeric or text value

Destination IP

Equals

Greater or Equal

Less or Equal

Not Equal

Not One Of

One Of

The network IP address for the remote computer that provides service to the current connection. For the Web Proxy log, a hyphen (-) in this field may indicate that an object was sourced from the cache and not from the destination. One exception is negative caching. In that case, this field indicates a destination IP address for which a negative-cached object was returned.

Possible values:

  • IP address format

Destination Network

Contains

Equals

Not Contains

Not Equal

Not One Of

One Of

The network that provides service to the current connection.

Possible values:

  • Any defined network

Destination Port

Equals

Not Equal

Not One Of

One Of

The reserved port number on the remote computer that provides service to the current connection. This is used by the client application initiating the request.

Possible values:

  • Numeric value

Error Information (not applicable to Firewall log)

Equals

Not Equal

Error information.

Possible values:

  • Numeric value

Filter Information

Contains

Equals

Not Contains

Not Equal

This field includes information that a Web filter can log. For example, when the HTTP filter denies a request, the reason for the denial is stored here.

Possible values:

  • Blocked by HTTP Security filter
  • Body contains sequences which are disallowed
  • Query string length exceeded maximum allowed
  • Request body length exceeded maximum allowed
  • Sent verb is disallowed
  • Sent verb is not specifically allowed
  • The request contains a header which exceeds the maximum header length allowed
  • The request contains a header which is not allowed
  • The response contains a header which exceeds the maximum header
  • The response contains a header which is not allowed
  • The response content is encoded and cannot be scanned
  • There are request headers which contain a disallowed sequence
  • There are response headers which contain a disallowed sequence
  • URL contains '.' in the path
  • URL contains an extension which is disallowed
  • URL contains an extension which is not specifically allowed
  • URL contains high-bit characters
  • URL contains sequences which are disallowed
  • URL length exceeded maximum allowed
  • URL normalization was not complete after one pass

GMT Log Time

On or After

On or Before

Indicates Coordinated Universal Time (UTC), also known as Greenwich Mean Time (GMT), which is the log time date.

Possible values:

  • Select calendar date

HTTP Method

Contains

Equals

Not Contains

Not Equal

Specifies the application method used.

  • Possible values that are common for the Web Proxy log:
  • GET
  • PUT
  • POST
  • HEAD

Possible values that are common for the Firewall log:

  • CONNECT
  • BIND
  • SEND
  • RECEIVE
  • GHBN (GetHostByName)
  • GHBA (GetHostByAddress)

HTTP Status Code

Equals

Not Equal

Not One Of

One Of

Specifies the HTTP status code.

Possible values:

  • Numeric value

Log Record Type

Equals

Specifies the log type to filter.

Possible values:

  • Firewall
  • Web Proxy Filter
  • Firewall or Web Proxy Filter

Log Time

Last 24 hours

Last 30 days

Last 7 days

Last hour

Live

On or After

On or Before

The time that the logged event occurred.

Possible values:

  • Live, for all logging except SQL Server Express format
  • SQL Server Express, for all values. If you select On or After, or On or Before, select dates from the calendar.

Malware Inspection Action

Equals

Not Equal

Not One Of

One Of

Specifies the possible actions for content.

Possible values:

  • Allowed
  • Blocked
  • Cleaned

Malware Inspection Duration

Greater or Equal

Less or Equal

Possible values:

  • Numeric value

Malware Inspection Result

Equals

Not Equal

Not One Of

One Of

The possible results of the malware inspection process.

Possible values:

  • Corrupted file
  • Destination included in Malware Inspection Exceptions list
  • Encrypted File
  • Infected File
  • Low and Medium Level Threats Not Blocked
  • Malware Inspection Disabled
  • Malware Inspection Disabled for the Matching Policy Rule
  • Malware Inspection Disabled for the Matching Web Chaining Rule
  • Maximum Archive Nesting Exceeded
  • Maximum Size Exceeded
  • Maximum Unpacked File Size Exceeded
  • No Violation Detected
  • Request Served by Malware Inspection Web Filter
  • Request/Response Pair Identified as Exempted Protocol Message
  • Response Identified as a 200 Response to a CONNECT Request
  • Response Originated from Proxy Server
  • Response Scanned Before Being Routed by CARP
  • Storage Space Limit Exceeded
  • Suspicious File
  • Time Out
  • Unknown
  • Unknown Encoding

MIME Type (not applicable to Firewall log)

Contains

Equals

Not Contains

Not Equals

The MIME type for the current object. This field may also contain a hyphen (-) to indicate that this field is not used or that a valid MIME type was not defined or supported by the remote computer.

Possible values:

  • Select from defined content types
  • Content types are defined on the Toolbox tab, available from the Firewall Policy node in Forefront TMG Management.

Network Interface (not applicable to Web Proxy log)

Contains

Equals

Not Contains

Not Equal

Not One Of

One Of

Primary IP address of the interface that received the traffic.

Possible values:

  • Numeric or text value

Object Source (not applicable to Firewall log)

Equals

Not Equal

Not One Of

One Of

Indicates the source that was used to retrieve the current object.

Possible values:

  • Cache
  • Internet
  • Not Modified
  • Not Verified Cache
  • Upstream
  • Verified Cache
  • Verified Failed Internet

Original Client IP

Equals

Greater or Equal

Less or Equal

Not Equal

Not One Of

One Of

The IP address of the client making the request.

Possible values:

  • IP address format

Processing Time (not applicable to Firewall log)

Greater or Equal

Less or Equal

This indicates the total time, in milliseconds, that is needed by Forefront TMG to process the current connection. It measures elapsed server time from the time that the server first received the request to the time when final processing occurred on the server—when results were returned to the client and the connection was closed.

For cache requests that were processed through Web Proxy, processing time measures the elapsed server time needed to fully process a client request and return an object from the server cache to the client.

Possible values:

  • Numeric value

Protocol

Contains

Equals

Not Contains

Not Equal

Not One Of

One Of

Specifies the application protocol used for the connection. Common values are HTTP, FTP, and HTTPS. For the Firewall service, the port number is also logged.

Possible values:

  • Any protocol defined in Forefront TMG

Raw IP Header (not applicable to Web Proxy log)

Contains

Equals

Not Contains

Not Equal

Not One Of

One Of

The Raw IP header information.

Possible values:

  • Numeric or text value

Raw Payload (not applicable to Web Proxy log)

Contains

Equals

Not Contains

Not Equal

The raw data of the packet.

Possible values:

  • Numeric or text value

Referring Server

Contains

Equals

Not Contains

Not Equals

If Forefront TMG is used upstream in a chained configuration, this indicates the server name of the downstream server that sent the request.

Possible values:

  • Numeric or text value

Result Code

Equals

Not Equal

Not One Of

One Of

The result code numeric ID.

Possible values:

Rule

Contains

Equals

Not Conains

Not Equal

Not One Of

One Of

This reflects the rule that either allowed or denied access to the request.

Possible values:

  • Select the rule

Server Name (not applicable to Firewall log)

Contains

Equals

Not Contains

Not Equals

The name of the computer running Forefront TMG. This is the computer name that is assigned in Microsoft Windows Server 2003 or Windows 2000 Server

Possible values:

  • Select the server name

Service (not applicable to Firewall log)

Equals

Not Equal

Not One Of

One Of

The type of request being logged.

Possible values:

  • Proxy, indicating outgoing Web request
  • Reverse Proxy, indicating incoming Web requests (publishing)

Source Network

Contains

Equals

Not Contains

Not Equal

Not One Of

One Of

The network from which the request originated.

Possible values:

  • Select a network

Source Port (not applicable to Web Proxy log)

Equals

Not Equal

The port on which the requesting client makes the request.

Possible values:

  • Numeric value

Threat Level

Equals

Not Equal

Not One Of

One Of

The malware inspection threat level.

Possible values:

  • High
  • Low
  • Medium
  • Severe

Threat Name

Contains

Equals

Not Contains

Not Equal

Not One Of

One Of

The threat name.

Possible values:

  • Numeric or text value

Transport

Contains

Equals

Not Contains

Not Equals

Specifies the transport protocol used for the connection.

Possible values:

  • ICMP
  • TCP
  • UDP

URL (not applicable to Firewall log)

Contains

Equals

Not Contains

Not Equal

Not One Of

One Of

This field shows the contents of the URL request.

Possible values:

  • Numeric or text value