The following table lists the Firewall and Web proxy log
fields.
| Field Position |
Descriptive Name (Field Name) |
Description |
| 1 |
Client IP (c-ip) |
The Internet protocol (IP) address of the
requesting client. |
| 2 |
Client user name (cs-username) |
Account of the user making the request. If ISA
Server Access Control is not being used, ISA Server uses
Anonymous. |
| 3 |
Client agent (c-agent) |
The client application type sent by the client in
the Hypertext Transfer Protocol (HTTP) header. When ISA Server is
actively caching, the client agent is ISA Server.
For Firewall service, this field includes information about the
client's operating system. See Operating system
values. |
| 4 |
Authentication status (sc-authenticated) |
Indicates whether or not client has been
authenticated with the ISA Server. Possible values are Y and
N. |
| 5 |
Date (date) |
The date that the logged event occurred. |
| 6 |
Time (time) |
The time that the logged event occurred. In W3C
format, this is in Greenwich mean time. |
| 7 |
Service name (s-sitename) |
The name of the service that is logged.
w3proxy indicates outgoing Web requests to the Web proxy
service. fwsrv indicates the Firewall service.
w3reverseproxy indicates incoming Web requests to the Web
proxy service |
| 8 |
Proxy name (s-computername) |
The name of the computer running ISA Server. This
is the computer name assigned in Windows 2000. |
| 9 |
Referring server name (cs-referred) |
If ISA Server is used upstream in a chained
configuration, this indicates the server name of the downstream
server that sent the request. |
| 10 |
Destination name (r-host) |
The domain name for the remote computer that
provides service to the current connection. For the Web proxy
service, a hyphen (-) in this field may indicate that an object was
retrieved from the Web proxy server cache and not from the
destination. |
| 11 |
Destination IP (r-ip) |
The network IP address for the remote computer that
provides service to the current connection. For the Web proxy
service, a hyphen (-) in this field may indicate that an object was
sourced from the Web proxy server cache and not from the
destination. One exception is negative caching. In that case, this
field indicates a destination IP address for which a
negative-cached object was returned. |
| 12 |
Destination port (r-host) |
The reserved port number on the remote computer
that provides service to the current connection. This is used by
the client application initiating the request. |
| 13 |
Processing time (time-taken) |
This indicates the total time, in milliseconds,
that is needed by ISA Server to process the current connection. It
measures elapsed server time from the time that the server first
received the request to the time when final processing occurred on
the server—when results were returned to the client and the
connection was closed.
For cache requests that were processed through the Web proxy
service, processing time measures the elapsed server time
needed to fully process a client request and return an object from
the server cache to the client. |
| 14 |
Bytes sent (sc-bytes) |
The number of bytes sent from the internal client
to the external server during the current connection. A hyphen (-),
a zero (0), or a negative number in this field indicates that this
information was not provided by the remote computer or that no
bytes were sent to the remote computer. |
| 15 |
Bytes received (cs-bytes) |
The number of bytes sent from the external computer
and received by the client during the current connection. A hyphen
(-), a zero (0), or a negative number in this field indicates that
this information was not provided by the remote computer or that no
bytes were received from the external computer. |
| 16 |
Protocol name (cs-protocol) |
Specifies the application protocol used for the
connection. Common values are HTTP, FTP, Gopher, and Secure
Hypertext Transfer protocol (HTTPS). |
| 17 |
Transport (cs-transport) |
Specifies the transport protocol used for the
connection. Common values are Transmission Control Protocol (TCP)
and User Datagram Protocol (UDP). |
| 18 |
Operation (s-operation) |
Specifies the application method used. For Web
Proxy, common values are GET, PUT, POST, and HEAD.
For Firewall service, common values are CONNECT, BIND, SEND,
RECEIVE, GHBN (GetHostByName), and GHBA
(GetHostByAddress). |
| 19 |
Object name (cs-url) |
For the Web proxy service, this field shows the
contents of the URL request. This field applies onlyt to the Web
proxy service log. |
| 20 |
Object MIME (cs-mime-type) |
The Multipurpose Internet Mail Extensions (MIME)
type for the current object. This field may also contain a hyphen
(-) to indicate that this field is not used or that a valid MIME
type was not defined or supported by the remote computer. This
field applies only to the Web Proxy service log. |
| 21 |
Object source (s-object-source) |
Indicates the source that was used to retrieve the
current object. A table of some possible values is provided in
Object source values. |
| 22 |
Result code (sc-status) |
This field can be used to indicate a Windows
(Win32) error code (for values less than 100), an HTTP status code
(for values between 100 and 1,000), or a Winsock error code (for
values between 10,000 and 11,004). A table of some possible values
is provided in Result code
values. |
| 23 |
Cache info (s-cache-info) |
This number reflects the cache status of the
object, which indicates why the object was or was not cached. This
field applies only to the Web proxy service log. A table of some
possible values is provided in Cache info values. |
| 24 |
Rule #1 (rule#1) |
This reflects the rule that either allowed or
denied access to the request, as follows:
- If an outgoing request is allowed, this field reflects the
protocol rule that allowed the request.
- If an outgoing request is denied by a protocol rule, this field
reflects the protocol rule.
- If an outgoing request is denied by a site and content rule,
this field reflects the protocol rule that would have allowed the
request.
- If an incoming request was denied, this field reflects the Web
publishing or server publishing rule that denied the request.
- If no rule specifically allowed the outgoing or incoming
request, the request is denied. In this case, the field is
empty.
|
| 25 |
Rule #2 (rule#2) |
This reflects the second rule that either allowed
or denied access to the request.
- If an outgoing request is allowed, this field reflects the site
and content rule that allowed the request.
- If an outgoing request is denied by a site and content rule,
this field reflects the site and content rule that denied the
request.
- If no rule specifically allowed the outgoing or incoming
request, the request is denied. In this case, the field is
empty.
|
| 26 |
Session ID (sessionid) |
This identifies a session's connections. For
Firewall clients, each process that connects through the Firewall
service initiates a session. For secure network address translation
(SecureNAT) clients, a single session is opened for all the
connections that originate from the same IP address. This field is
not included in the Web Proxy service log. This field applies only
to the Firewall service log. |
| 27 |
Connection ID (connectionid) |
This identifies entries that belong to the same
socket. Outbound TCP usually has two entries for each connection:
when the connection is established and when the connection is
terminated. UDP usually has two entries for each remote address.
This field is not included in the Web Proxy service log. This field
applies only to the Firewall service log. |
| Value |
Description |
| 0x00000001 |
Request should not be served from the cache. |
| 0x00000002 |
Request includes the IF-MODIFIED-SINCE
header. |
| 0x00000004 |
Request includes one of these headers:
CACHE-CONTROL:NO-CACHE or PRAGMA:NO-CACHE. |
| 0x00000008 |
Request includes the AUTHORIZATION
header. |
| 0x00000010 |
Request includes the VIA header. |
| 0x00000020 |
Request includes the IF-MATCH header. |
| 0x00000040 |
Request includes the RANGE header. |
| 0x00000080 |
Request includes the CACHE-CONTROL: NO-STORE
header. |
| 0x00000100 |
Request includes the CACHE-CONTROL: MAX-AGE,
or CACHE-CONTROL: MAX-STALE or CACHE-CONTROL:
MIN-FRESH header. |
| 0x00000200 |
Cache could not be updated. |
| 0x00000400 |
IF-MODIFIED-SINCE time specified in the
request is newer than cached LASTMODIFIED time. |
| 0x00000800 |
Request includes the CACHE-CONTROL:
ONLY-IF-CACHED header. |
| 0x00001000 |
Request includes the IF-NONE-MATCH
header. |
| 0x00002000 |
Request includes the IF-UNMODIFIED-SINCE
header. |
| 0x00004000 |
Request includes the IF-RANGE header. |
| 0x00008000 |
More than one VARY header. |
| 0x00010000 |
Response includes the CACHE-CONTROL: PUBLIC
header. |
| 0x00020000 |
Response includes the CACHE-CONTROL: PRIVATE
header. |
| 0x00040000 |
Response includes the CACHE-CONTROL:
NO-CACHE or PRAGMA: NO-CACHE header. |
| 0x00080000 |
Response includes the CACHE-CONTROL:
NO-STORE header. |
| 0x00100000 |
Response includes either the CACHE-CONTROL:
MUST-REVALIDATE or CACHE-CONTROL: PROXY-REVALIDATE
header. |
| 0x00200000 |
Response includes the CACHE-CONTROL: MAX-AGE
or S-MAXAGE header. |
| 0x00400000 |
Response includes the VARY header. |
| 0x00800000 |
Response includes the LAST-MODIFIED
header. |
| 0x01000000 |
Response includes the EXPIRES header. |
| 0x02000000 |
Response includes the SET-COOKIE
header. |
| 0x04000000 |
Response includes the WWW-AUTHENTICATE
header. |
| 0x08000000 |
Response includes the VIA header. |
| 0x10000000 |
Response includes the AGE header. |
| 0x20000000 |
Response includes the TRANSFER-ENCODING
header. |
| 0x40000000 |
Response should not be cached. |