The following table lists the log fields that can be included in
Firewall service log entries by setting the corresponding bit in
the LogFieldSelection
property of the FPCLog
object for Firewall service logging.
Bit number |
Field name (Log Viewer) |
Field name (SQL files) |
Description |
0 |
Server Name |
servername |
The name of the ISA Server computer. This is the computer name
assigned in Microsoft Windows. |
1 |
Log Date |
LogDate |
The date on which the logged event occurred. |
2 |
Log Time |
LogTime |
The time when the logged event occurred. In W3C format, this is
the Coordinated Universal Time (UTC). |
3 |
Transport |
protocol |
The transport protocol used for the connection. Common values
are Transmission
Control Protocol (TCP) and User Datagram
Protocol (UDP). |
4 |
Client IP and Port |
Source |
The Internet Protocol
(IP) address of the requesting client and the source port
used. |
5 |
Destination IP and Port |
Destination |
The network IP address and the reserved port number on the
remote computer that provides service to the current connection.
The port number is used by the client application initiating the
request. |
6 |
Original Client IP |
OriginalClientIP |
The original IP address of the requesting client. |
7 |
Source Network |
SourceNetwork |
The network from which the request originated. |
8 |
Destination Network |
DestinationNetwork |
The network to which the request was sent. |
9 |
Action |
Action |
The action performed by the Microsoft
Firewall service for the current session or connection. The
possible values are defined in the FpcAction enumerated type. |
10 |
Result Code |
resultcode |
A Windows error code or an ISA Server error code in HRESULT
format. |
11 |
Rule |
rule |
The rule that either allowed or denied access to the request,
as follows:
- If an outgoing request was allowed, this field reflects the
protocol rule that allowed the request.
- If an outgoing request was denied by a protocol rule, this
field reflects the protocol rule.
- If an outgoing request is denied by an access rule, this field
reflects the protocol rule that would have allowed the
request.
- If an incoming request was denied, this field reflects the Web
publishing or server publishing rule that denied the request.
- If no rule specifically allowed the outgoing or incoming
request, the request is denied. In this case, the field is
empty.
|
12 |
Protocol |
ApplicationProtocol |
The name of the application protocol used for the connection as
defined in the colletion of protocol definitions. |
13 |
Bidirectional |
Bidirectional |
A value from the FpcBidirectional enumerated type
that indicates whether the connection was bidirectional. |
14 |
Bytes Sent |
bytessent |
The total number of bytes sent from the client to the
destination host during the current connection. A hyphen (-), a
zero (0), or a negative number in this field indicates that this
information was not provided by the destination host or that no
bytes were sent to the destination host. |
15 |
Bytes Sent Delta |
bytessentDelta |
The number of bytes sent from the client to the destination
host since the previous log entry for the current connection. A
hyphen (-), a zero (0), or a negative number in this field
indicates that this information was not provided by the destination
host or that no bytes were sent to the destination host. |
16 |
Bytes Received |
bytesrecvd |
The total number of bytes sent from the remote computer and
received by the client during the current connection. A hyphen (-),
a zero (0), or a negative number in this field indicates that this
information was not provided by the remote computer or that no
bytes were received from the remote computer. |
17 |
Bytes Received Delta |
bytesrecvdDelta |
The number of bytes sent from the remote computer and received
by the client since the previous log entry for the current
connection. A hyphen (-), a zero (0), or a negative number in this
field indicates that this information was not provided by the
remote computer or that no bytes were received from the remote
computer. |
18 |
Processing Time |
connectiontime |
The total time, in milliseconds, that was needed by ISA Server
to process the current connection. It measures the time elapsed
from the time when the ISA Server computer first received the
request to the time when final processing occurred on the ISA
Server computer—when results were returned to the client and the
connection was closed. |
19 |
Processing Time Delta |
connectiontimeDelta |
The time, in milliseconds, that has elapsed since the previous
log entry for the current connection. |
20 |
Source Proxy |
SourceProxy |
Reserved for future use. |
21 |
Destination Proxy |
DestinationProxy |
Reserved for future use. |
22 |
Client Host Name |
SourceName |
Reserved for future use. |
23 |
Destination Host Name |
DestinationName |
The domain name for the remote computer that provides service
to the current connection. |
24 |
Client Username |
ClientUserName |
The account of the user making the request. A question mark (?)
next to the user name indicates that the user name was sent but the
user was not authenticated by ISA Server. If ISA Server access
control is not being used, ISA Server uses Anonymous. |
25 |
Client Agent |
ClientAgent |
The name and version of the operating system that is running on
the Firewall client that created the session, as indicated by the
Hypertext
Transfer Protocol (HTTP) User-Agent header sent by the
client's browser application. This field is not applicable to
SecureNAT sessions.
For the supported strings, see Client Agent Values. A User-Agent
header that is not supported is regarded as an unknown operating
system. |
26 |
Session ID |
sessionid |
An identifier that identifies a session's connections. For
Firewall clients, each process that connects through the Microsoft
Firewall service initiates a session. For
secure network address translation (SecureNAT) clients, a
single session is opened for all the connections that originate
from the same IP address. |
27 |
Connection ID |
connectionid |
An identifier that identifies entries belonging to the same
socket. Outbound TCP usually has two entries for each connection:
when the connection is established and when the connection is
terminated. UDP usually has two entries for each remote
address. |
28 |
Network Interface |
Interface |
The network adapter with which the connection was established
on the ISA Server computer. |
29 |
Raw IP Header |
IPHeader |
The IP header of the current packet. Information is supplied to
this field only for packets that are denied passage and are dropped
by ISA Server. |
30 |
Raw Payload |
Payload |
The protocol header of the current packet. Information is
supplied to this field only for packets that are denied passage and
are dropped by ISA Server. |