Firewall log fields

The following table lists the fields that you can include in each of the Microsoft Forefront Threat Management Gateway log files. Note that, in Forefront TMG log format, if a field is disabled, it will appear in the log with a hyphen (-). In World Wide Web Consortium (W3C) log file format, the field will not appear. The Bit number column refers to the position in the Forefront TMG file format.

Bit number Field name (log viewer) Field name (SQL Server log format and SQL Server Express log format) Field name (W3C format) Description

0

Server Name

servername

computer

The name of the Forefront TMG computer assigned in the operating system settings.

  1

Log Date

logTime

date

The date on which the logged event occurred. In the SQL Server and SQL Server Express formats, both the date and the local time are included in the single logTime field.

  2

Log Time

logTime

time

The time when the logged event occurred. In the W3C extended file format this time is in Coordinated Universal Time (UTC). In all other formats, this is the local time. In the SQL Server and SQL Server Express formats both the date and the time are included in the single logTime field.

  3

Transport

protocol

IP Protocol

The transport protocol used for the connection. Common values are TCP and UDP.

  4

Client IP and Port

SourceIP

SourcePort

source

The IP address of the requesting client and the source port used. In SQL Server and SQL Server Express formats, there are separate SourceIP and SourcePort fields to allow individual querying. For ICMP packets, the port field indicates the ICMP type.

  5

Destination IP and Port

DestinationIP

Destination Port

destination

The network IP address and the port number on the target computer that provides service to the current connection. The port number is used by the client application initiating the request. In SQL Server and SQL Server Express formats, there are separate DestinationIP and DestinationPort fields to allow individual querying. For ICMP packets, the port field indicates the ICMP code.

  6

Original Client IP

OriginalClientIP

original client IP

The original IP address of the requesting client.

  7

Source Network

SourceNetwork

source network

The network from which the request originated.

  8

Destination Network

DestinationNetwork

destination network

The network to which the request was sent.

  9

Action

Action

action

The action performed by the firewall for the current session or connection. The possible values are defined in the FpcAction enumerated type.

10

Result Code

Resultcode

status

A Windows error code or a Forefront TMG error code in HRESULT format.

11

Rule

Rule

rule

The rule that either allowed or denied access to the request, as follows:

If an outgoing request was allowed, this field reflects the access rule that allowed the request. If the request was denied, this field reflects the access rule that blocked the request.

If an incoming request was allowed, this field reflects the Web publishing server or publishing rule that allowed the request. If the request was denied, this field reflects the Web publishing server or publishing rule that denied the request.

If the incoming or outgoing request was denied for a reason other than policy rules, (for example due to an intrusion attempt or exceeding a flood resiliency threshold) the field is empty and the Result Code field indicates the reason.

12

Protocol

ApplicationProtocol

application protocol

The name of the application protocol used for the connection as defined in the collection of protocol definitions.

13

Bidirectional

Bidirectional

bidirectional

A value from the FpcBidirection enumerated type that indicates whether the connection was bidirectional.

14

Bytes Sent

bytessent

bytes sent

The total number of bytes sent from the client to the destination host during the current connection. A hyphen (-) or a zero (0) in this field indicates that this information was not provided by the destination host or that no bytes were sent to the destination host.

15

Bytes Sent Delta

bytessentDelta

bytes sent intermediate

The number of bytes sent from the client to the destination host since the previous log entry for the current connection. A hyphen (-) or a zero (0) in this field indicates that this information was not provided by the destination host or that no bytes were sent to the destination host.

16

Bytes Received

bytesrecvd

bytes received

The total number of bytes sent from the remote computer and received by the client during the current connection. A hyphen (-) or a zero (0) in this field indicates that this information was not provided by the remote computer or that no bytes were received from the remote computer.

17

Bytes Received Delta

bytesrecvdDelta

bytes received intermediate

The number of bytes sent from the remote computer and received by the client since the previous log entry for the current connection. A hyphen (-) or a zero (0) in this field indicates that this information was not provided by the remote computer or that no bytes were received from the remote computer.

18

Processing Time

connectiontime

connection time

The total time, in milliseconds, that was needed by Forefront TMG to process the current connection. It measures the time elapsed from the time when the Forefront TMG computer first received the request to the time when final processing occurred on the Forefront TMG computer—when results were returned to the client and the connection was closed.

19

Processing Time Delta

connectiontimeDelta

connection time intermediate

The time, in milliseconds, that has elapsed since the previous log entry for the current connection.

22

Client Host Name

SourceName

Source Name

Reserved for future use.

23

Destination Host Name

DestinationName

destination name

The domain name for the remote computer that provides service to the current connection.

24

Client Username

ClientUserName

username

The account of the user making the request. A question mark (?) next to the user name indicates that the user name was sent but the user was not authenticated by Forefront TMG. If Forefront TMG access control is not being used, Forefront TMG uses Anonymous.

25

Client Agent

ClientAgent

agent

For clients with Firewall Client software installed, this is the name of the application that made the network request. This field is not applicable to SecureNAT client sessions.

26

Session ID

sessionid

session ID

An identifier that identifies a session's connections. For Firewall clients, each process that connects through the Microsoft Firewall service initiates a session. For SecureNAT clients, a single session is opened for all the connections that originate from the same IP address.

27

Connection ID

connectionid

connection ID

An identifier that identifies entries belonging to the same connection. Outbound TCP usually has two entries for each connection: when the connection is established and when the connection is terminated. UDP usually has two entries for each remote address.

28

Network Interface

Interface

interface

The network adapter with which the connection was established on the Forefront TMG computer.

29

Raw IP Header

IPHeader

IP header

The IP header of the current packet. Information is supplied to this field only for packets that are denied passage and are dropped by Forefront TMG.

30

Raw Payload

Payload

protocol payload

The protocol header of the current packet. Information is supplied to this field only for packets that are denied passage and are dropped by Forefront TMG.

31

GMT Log Time

GmtLogTime

GMT Time

The GMT time that corresponds to the local time in the logTime field.