The following table lists the log fields that can be included in Firewall service log entries by setting the corresponding bit in the LogFieldSelection property of the FPCLog object for Firewall service logging.
| Bit number | Field name (Log Viewer) | Field name (SQL Server Express databases) | Field name (W3C files) | Description |
|---|---|---|---|---|
| 0 | Server Name | servername | computer | The name of the Forefront TMG computer. This is the computer name assigned in Microsoft Windows. |
| 1 | Log Date | logTime | date | The date on which the logged event occurred. In the SQL Server Express format, both the date and the local time are included in the single logTime field, and the bits for both the date and time fields must be set. |
| 2 | Log Time | logTime | time | The local time when the logged event occurred. In the W3C extended file format and in ODBC-compliant SQL Server databases, this time is in Coordinated Universal Time (UTC). In the SQL Server Express format, both the date and the local time are included in the single logTime field, and the bits for both the date and time fields must be set. |
| 3 | Transport | protocol | IP Protocol | The transport protocol used for the connection. Common values are Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). |
| 4 | Client IP and Port | SourceIP
SourcePort |
source | The Internet Protocol (IP) address of the requesting client and the source port used. In SQL Server Express format, there are separate SourceIP and SourcePort fields to allow individual querying. For ICMP packets, the additional field indicates the ICMP type. |
| 5 | Destination IP and Port | DestinationIP
DestinationPort |
destination | The network IP address and the reserved port number on the remote computer that provides service to the current connection. The port number is used by the client application initiating the request. In SQL Server Express format, there are separate DestinationIP and DestinationPort fields to allow individual querying. For ICMP packets, the additional field indicates the ICMP code. |
| 6 | Original Client IP | OriginalClientIP | original client IP | The original IP address of the requesting client. |
| 7 | Source Network | SourceNetwork | source network | The network from which the request originated. |
| 8 | Destination Network | DestinationNetwork | destination network | The network to which the request was sent. |
| 9 | Action | Action | action | The action performed by the Microsoft Firewall service for the current session or connection. The possible values are defined in the FpcAction enumerated type. |
| 10 | Result Code | resultcode | status | A Windows error code or a Forefront TMG error code in HRESULT format. For more information about Forefront TMG error codes, see Error Codes. |
| 11 | Rule | Rule | rule | The rule that either allowed or denied access to the request,
as follows:
|
| 12 | Protocol | ApplicationProtocol | application protocol | The name of the application protocol used for the connection as defined in the collection of protocol definitions. |
| 13 | Bidirectional | Bidirectional | bidirectional | A value from the FpcBidirectional enumerated type that indicates whether the connection was bidirectional. |
| 14 | Bytes Sent | bytessent | bytes sent | The total number of bytes sent from the client to the destination host during the current connection. A hyphen (-), a zero (0), or a negative number in this field indicates that this information was not provided by the destination host or that no bytes were sent to the destination host. |
| 15 | Bytes Sent Delta | bytessentDelta | bytes sent intermediate | The number of bytes sent from the client to the destination host since the previous log entry for the current connection. A hyphen (-), a zero (0), or a negative number in this field indicates that this information was not provided by the destination host or that no bytes were sent to the destination host. |
| 16 | Bytes Received | bytesrecvd | bytes received | The total number of bytes sent from the remote computer and received by the client during the current connection. A hyphen (-), a zero (0), or a negative number in this field indicates that this information was not provided by the remote computer or that no bytes were received from the remote computer. |
| 17 | Bytes Received Delta | bytesrecvdDelta | bytes received intermediate | The number of bytes sent from the remote computer and received by the client since the previous log entry for the current connection. A hyphen (-), a zero (0), or a negative number in this field indicates that this information was not provided by the remote computer or that no bytes were received from the remote computer. |
| 18 | Processing Time | ConnectionTime | connection time | The total time, in milliseconds, that was needed by Forefront TMG to process the current connection. It measures the time elapsed from the time when the Forefront TMG computer first received the request to the time when final processing occurred on the Forefront TMG computer—when results were returned to the client and the connection was closed. |
| 19 | Processing Time Delta | connectiontimeDelta | connection time intermediate | The time, in milliseconds, that has elapsed since the previous log entry for the current connection. |
| 20 | Source Proxy | SourceProxy | source proxy | Reserved for future use. |
| 21 | Destination Proxy | DestinationProxy | destination proxy | Reserved for future use. |
| 22 | Client Host Name | SourceName | Source Name | Reserved for future use. |
| 23 | Destination Host Name | DestinationName | destination name | The domain name for the remote computer that provides service to the current connection. |
| 24 | Client Username | ClientUserName | username | The account of the user making the request. A question mark (?) next to the user name indicates that the user name was sent but the user was not authenticated by Forefront TMG. If Forefront TMG access control is not being used, Forefront TMG uses Anonymous. |
| 25 | Client Agent | ClientAgent | agent | The name and version of the operating system that is running on
the Firewall client that created the session, as indicated by the
Hypertext
Transfer Protocol (HTTP) User-Agent header sent by the
client's browser application. This field is not applicable to
SecureNAT sessions.
For the supported strings, see Client Agent Values. A User-Agent header that is not supported is regarded as an unknown operating system. |
| 26 | Session ID | sessionid | Session ID | An identifier that identifies a session's connections. For Firewall clients, each process that connects through the Microsoft Firewall service initiates a session. For secure network address translation (SecureNAT) clients, a single session is opened for all the connections that originate from the same IP address. |
| 27 | Connection ID | connectionid | Connection ID | An identifier that identifies entries belonging to the same socket. Outbound TCP usually has two entries for each connection: when the connection is established and when the connection is terminated. UDP usually has two entries for each remote address. |
| 28 | Network Interface | Interface | interface | The network adapter with which the connection was established on the Forefront TMG computer. |
| 29 | Raw IP Header | IPHeader | IP header | The IP header of the current packet. Information is supplied to this field only for packets that are denied passage and are dropped by Forefront TMG. |
| 30 | Raw Payload | Payload | protocol payload | The protocol header of the current packet. Information is supplied to this field only for packets that are denied passage and are dropped by Forefront TMG. |
| 31 | GMT Log Time | GmtLogTime | GMT Time | The date and time in Coordinated Universal Time (UTC) when the log entry was made. |
| 32 | IPS Scan Result | ipsScanResult | IPS scan result | The Network Inspection System (NIS) scan result (not supported in Forefront TMG Medium Business Edition). |
| 33 | IPS Signature | ipsSignature | IPS signature | The Network Inspection System (NIS) signature (not supported in Forefront TMG Medium Business Edition). |
| User-Agent header | Client Agent value |
|---|---|
| Windows NT 5.2 | Windows Server 2003 |
| Windows NT 5.1 | Windows XP |
| windows nt 5 | Windows 2000 |
| windows 2000 | Windows 2000 |
| win2000 | Windows 2000 |
| winnt | Windows NT |
| windows nt | Windows NT |
| win98 | Windows 98 |
| windows 98 | Windows 98 |
| win95 | Windows 95 |
| windows 95 | Windows 95 |
| win32 | Windows 32-bit |
| win16 | Windows 16-bit |
| windows ce | Windows CE |
| windows | Windows |
| aix | aix |
| amiga | amiga |
| hp | hp |
| irix | irix |
| linux | linux |
| mac | mac |
| solaris | solaris |
| sun | sun |
| unix | unix |
| vax | vax |
Send comments about this topic to Microsoft
Build date: 11/30/2009
© 2008 Microsoft Corporation. All rights reserved.