The following table lists the log fields that can be included in
ISA Server Web proxy log entries by setting the corresponding bit
in the LogFieldSelection
property of the FPCLog
object for Web proxy logging.
| Bit number |
Field name (Log Viewer) |
Field name (MSDE files) |
Description |
| 0 |
Client IP |
ClientIP |
The Internet Protocol
(IP) address of the requesting client. |
| 1 |
Client Username |
ClientUserName |
The account of the user making the request. A question mark (?)
next to the user name indicates that the user name was sent but the
user was not authenticated by ISA Server. If ISA Server access
control is not being used, ISA Server uses Anonymous. |
| 2 |
Client Agent |
ClientAgent |
The name and version of the client application sent by the
client in the Hypertext
Transfer Protocol (HTTP) User-Agent header. When ISA Server
is actively caching, this field is set to ISA Server. |
| 3 |
Authenticated Client |
ClientAuthenticate |
A value that indicates whether the client has been
authenticated with the ISA Server computer. Possible values are Y
and N. |
| 4 |
Log Date |
TimeStamp |
The date on which the logged event occurred. |
| 5 |
Log Time |
Not applicable |
The time when the logged event occurred. In W3C format, this is
the Coordinated Universal Time (UTC). |
| 6 |
Service |
service |
The name of the service that is logged. For example,
fwsrv indicates the Microsoft Firewall service. |
| 7 |
Server Name |
servername |
The name of the ISA Server computer. This is the computer name
assigned in Windows Server 2003 and Windows 2000. |
| 8 |
Referring Server |
referredserver |
If ISA Server is used upstream in a chained configuration, this
field contains the name of the downstream server that sent the
request. |
| 9 |
Destination Host Name |
DestHost |
The domain name for the remote computer that provides service
to the current connection. A hyphen (-) in this field may indicate
that an object was retrieved from the local cache and not from the
destination. |
| 10 |
Destination IP |
DestHostIP |
The network IP address of the remote computer that provides
service to the current connection. A hyphen (-) in this field may
indicate that an object was sourced from the local cache and not
from the destination. One exception is negative caching.
In that case, this field contains a destination IP address for
which a negative cached object was returned. |
| 11 |
Destination Port |
DestHostPort |
The reserved port
number on the remote computer that provides service to the
current connection. This is used by the client application
initiating the request. |
| 12 |
Processing Time |
processingtime |
The total time, in milliseconds, that is needed by ISA Server
to process the current connection. It measures the time elapsed
from the time when the server first receives the request to the
time when final processing occurs on the server—when results are
returned to the client and the connection is closed.
For cache requests that are processed through the ISA Server Web
proxy, the processing time measures the elapsed server time needed
to fully process a client request and return an object from the
server cache to the client. |
| 13 |
Bytes Received |
bytesrecvd |
The number of bytes sent from the remote computer and received
by the client during the current connection. A hyphen (-), a zero
(0), or a negative number in this field indicates that this
information was not provided by the remote computer or that no
bytes were received from the remote computer. |
| 14 |
Bytes Sent |
bytessent |
The number of bytes sent from the client to the remote computer
during the current connection. A hyphen (-), a zero (0), or a
negative number in this field indicates that this information was
not provided by the remote computer or that no bytes were sent to
the remote computer. |
| 15 |
Protocol |
protocol |
The application protocol used for the connection. Common values
are Hypertext Transfer Protocol (HTTP), File Transfer
Protocol (FTP), Gopher, and Secure HTTP
(HTTPS). |
| 16 |
Transport |
transport |
The transport protocol used for the connection. Common values
are Transmission
Control Protocol (TCP) and User Datagram
Protocol (UDP). |
| 17 |
HTTP Method |
operation |
The HTTP method used. Common values are GET, PUT, POST, and
HEAD. |
| 18 |
URL |
uri |
The contents of the URL request. |
| 19 |
MIME Type |
mimetype |
The
Multipurpose Internet Mail Extensions (MIME) type for the
current object. This field may also contain a hyphen (-) to
indicate that this field is not used or that a valid MIME type was
not defined or supported by the remote computer. |
| 20 |
Object Source |
objectsource |
The type of source that was used to retrieve the current
object. A table of some possible values is provided in Object Source Values. |
| 21 |
Result Code |
resultcode |
A Windows (Win32) error code (for values less than 100), an
HTTP status code (for values between 100 and 1,000), or a Winsock
error code (for values between 10,000 and 11,004). A table of some
possible values is provided in Result Code Values. |
| 22 |
Cache Info |
CacheInfo |
A number reflecting the cache status of the object, which
indicates why the object was or was not cached. A table of some
possible values is provided in Cache Information Values. |
| 23 |
Rule |
rule |
The rule that either allowed or denied access to the request,
as follows:
- If an outgoing request was allowed, this field reflects the
protocol rule that allowed the request.
- If an outgoing request was denied by a protocol rule, this
field reflects the protocol rule.
- If an outgoing request is denied by an access rule, this field
reflects the protocol rule that would have allowed the
request.
- If an incoming request was denied, this field reflects the Web
publishing or server publishing rule that denied the request.
- If no rule specifically allowed the outgoing or incoming
request, the request is denied. In this case, the field is
empty.
|
| 24 |
Filter Information |
FilterInfo |
The second rule that either allowed or denied access to the
request, as follows:
- If an outgoing request is allowed, this field reflects the
access rule that allowed the request.
- If an outgoing request is denied by an access rule, this field
reflects the access rule that denied the request.
- If no rule specifically allowed the outgoing or incoming
request, the request is denied. In this case, the field is
empty.
|
| 25 |
Source Network |
SrcNetwork |
The network from which the request originated. |
| 26 |
Destination Network |
DstNetwork |
The network to which the request was sent. |
| 27 |
Error info (ErrorInfo) |
ErrorInfo |
A 32-bit bitmask that provides additional information about the
request that can help identify the source of the error if an error
occurred. A table of the possible bit fields is provided in
Error Information Bit
Fields. |
| 28 |
Action |
Action |
The action performed by the Microsoft
Firewall service for the current session or connection. The
possible values are defined in the FpcAction enumerated type. |
| Value |
Description |
| 0x00000001 |
Request should not be served from the cache. |
| 0x00000002 |
Request includes the IF-MODIFIED-SINCE header. |
| 0x00000004 |
Request includes one of these headers: CACHE-CONTROL:NO-CACHE
or PRAGMA:NO-CACHE. |
| 0x00000008 |
Request includes the AUTHORIZATION header. |
| 0x00000010 |
Request includes the VIA header. |
| 0x00000020 |
Request includes the IF-MATCH header. |
| 0x00000040 |
Request includes the RANGE header. |
| 0x00000080 |
Request includes the CACHE-CONTROL: NO-STORE header. |
| 0x00000100 |
Request includes the CACHE-CONTROL: MAX-AGE, or CACHE-CONTROL:
MAX-STALE, or CACHE-CONTROL: MIN-FRESH header. |
| 0x00000200 |
Cache could not be updated. |
| 0x00000400 |
IF-MODIFIED-SINCE time specified in the request is newer than
cached LASTMODIFIED time. |
| 0x00000800 |
Request includes the CACHE-CONTROL: ONLY-IF-CACHED header. |
| 0x00001000 |
Request includes the IF-NONE-MATCH header. |
| 0x00002000 |
Request includes the IF-UNMODIFIED-SINCE header. |
| 0x00004000 |
Request includes the IF-RANGE header. |
| 0x00008000 |
More than one VARY header. |
| 0x00010000 |
Response includes the CACHE-CONTROL: PUBLIC header. |
| 0x00020000 |
Response includes the CACHE-CONTROL: PRIVATE header. |
| 0x00040000 |
Response includes the CACHE-CONTROL: NO-CACHE or PRAGMA:
NO-CACHE header. |
| 0x00080000 |
Response includes the CACHE-CONTROL: NO-STORE header. |
| 0x00100000 |
Response includes either the CACHE-CONTROL: MUST-REVALIDATE or
CACHE-CONTROL: PROXY-REVALIDATE header. |
| 0x00200000 |
Response includes the CACHE-CONTROL: MAX-AGE or S-MAXAGE
header. |
| 0x00400000 |
Response includes the VARY header. |
| 0x00800000 |
Response includes the LAST-MODIFIED header. |
| 0x01000000 |
Response includes the EXPIRES header. |
| 0x02000000 |
Response includes the SET-COOKIE header. |
| 0x04000000 |
Response includes the WWW-AUTHENTICATE header. |
| 0x08000000 |
Response includes the VIA header. |
| 0x10000000 |
Response includes the AGE header. |
| 0x20000000 |
Response includes the TRANSFER-ENCODING header. |
| 0x40000000 |
Response should not be cached. |