Web Proxy Log Fields

The following table lists the log fields that can be included in Forefront TMG Web proxy log entries by setting the corresponding bit in the LogFieldSelection property of the FPCLog object for Web proxy logging.

Bit number Field name (log viewer) Field name (SQL Server Express databases) Field name (W3C files) Description
  0 Client IP ClientIP c-ip The Internet Protocol (IP) address of the requesting client.
  1 Client Username ClientUserName cs-username The account of the user making the request. A question mark (?) next to the user name indicates that the user name was sent but the user was not authenticated by Forefront TMG. If Forefront TMG access control is not being used, Forefront TMG uses Anonymous.
  2 Client Agent ClientAgent c-agent The name and version of the client application sent by the client in the Hypertext Transfer Protocol (HTTP) User-Agent header. When Forefront TMG is actively caching, this field is set to Forefront TMG.
  3 Authenticated Client ClientAuthenticate sc-authenticated A value that indicates whether the client has been authenticated with the Forefront TMG computer. Possible values are Y and N.
  4 Log Date logTime date The date on which the logged event occurred. In the SQL Server Express format, both the date and the local time are included in the single logTime field, and the bits for both the date and time fields must be set.
  5 Log Time logTime time The local time when the logged event occurred. In the W3C extended file format and in ODBC-compliant SQL Server databases, this time is in Coordinated Universal Time (UTC). In the SQL Server Express format, both the date and the local time are included in the single logTime field, and the bits for both the date and time fields must be set.
  6 Service service s-svcname The name of the service that is logged. For example, fwsrv indicates the Microsoft Firewall service.
  7 Server Name servername s-computername The name of the Forefront TMG computer. This is the computer name assigned in Windows Server 2008.
  8 Referring Server referredserver cs-referred The URL of the resource that supplied the requested URL to the client, as indicated in the Referrer header of the request.
  9 Destination Host Name DestHost r-host The domain name for the remote computer that provides service to the current connection. A hyphen (-) in this field may indicate that an object was retrieved from the local cache and not from the destination.
10 Destination IP DestHostIP r-ip The network IP address of the remote computer that provides service to the current connection. A hyphen (-) in this field may indicate that an object was sourced from the local cache and not from the destination. One exception is negative caching. In that case, this field contains a destination IP address for which a negative cached object was returned.
11 Destination Port DestHostPort r-port The reserved port number on the remote computer that provides service to the current connection. This is used by the client application initiating the request.
12 Processing Time processingtime time-taken The total time, in milliseconds, that is needed by Forefront TMG to process the current connection. It measures the time elapsed from the time when the server first receives the request to the time when final processing occurs on the server—when results are returned to the client and the connection is closed.

For cache requests that are processed through the Forefront TMG Web proxy, the processing time measures the elapsed server time needed to fully process a client request and return an object from the server cache to the client.

13 Bytes Received bytesrecvd cs-bytes The number of bytes sent from the remote computer and received by the client during the current connection. A hyphen (-), a zero (0), or a negative number in this field indicates that this information was not provided by the remote computer or that no bytes were received from the remote computer.
14 Bytes Sent bytessent sc-bytes The number of bytes sent from the client to the remote computer during the current connection. A hyphen (-), a zero (0), or a negative number in this field indicates that this information was not provided by the remote computer or that no bytes were sent to the remote computer.
15 Protocol protocol cs-protocol The application protocol used for the connection. Common values are http for Hypertext Transfer Protocol, https for Secure HTTP, and ftp for File Transfer Protocol.
16 Transport transport cs-transport The transport protocol used for the connection. Common values are Transmission Control Protocol (TCP) and User Datagram Protocol (UDP).
17 HTTP Method operation s-operation The HTTP method used. Common values are GET, PUT, POST, and HEAD.
18 URL uri cs-uri The URL requested.
19 MIME Type mimetype cs-mime-type The Multipurpose Internet Mail Extensions (MIME) type for the current object. This field may also contain a hyphen (-) to indicate that this field is not used or that a valid MIME type was not defined or supported by the remote computer.
20 Object Source objectsource s-object-source The type of source that was used to retrieve the current object. A table of some possible values is provided in Object Source Values.
21 HTTP Status Code resultcode sc-status A Windows (Win32) error code (for values less than 100), an HTTP status code (for values between 100 and 1,000), a Winsock error code (for values between 10,004 and 11,031), or a Forefront TMG error code. A table of some possible values is provided in Result Code Values. For more information about Forefront TMG error codes, see Error Codes.
22 Cache Information CacheInfo s-cache-info A number reflecting the cache status of the object, which indicates the reasons why the object was or was not cached. The number logged is the sum of the values for all the conditions that are met. A table of the possible values is provided in Cache Information Values.
23 Rule Rule rule The rule that either allowed or denied access to the request, as follows:
  • If an outgoing request was allowed, this field indicates the access rule that allowed the request.
  • If an outgoing request was denied by a policy rule, this field indicates the access rule that blocked the request.
  • If an incoming request was denied by a policy rule, this field indicates the Web publishing or server publishing rule that denied the request.
  • If Forefront TMG denied the connection for any reason other than a policy rule, this field contains a hyphen (-), and the Result Code field indicates the reason.
24 Filter Information FilterInfo FilterInfo Information supplied by a Web filter. For example, if HTTP Filter rejected a request, this field contains the reason for the rejection.
25 Source Network SrcNetwork cs-network The network from which the request originated.
26 Destination Network DstNetwork sc-network The network to which the request was sent.
27 Error Information ErrorInfo error-info A 32-bit bitmask that provides additional information about the request that can help identify the source of the error if an error occurred. A table of the possible bit fields is provided in Error Information Bit Fields.
28 Action Action action The action performed by the Microsoft Firewall service for the current session or connection. The possible values are defined in the FpcAction enumerated type. Note that strings representing these values are displayed in the log viewer.
29 GMT Log Time GmtLogTime GMT Time The date and time in Coordinated Universal Time (UTC) when the log entry was made.
30 Authentication Server AuthenticationServer AuthenticationServer The name of the LDAP server or RADIUS server that was used for authentication.
31 IPS Scan Result ipsScanResult IPS scan result The Network Inspection System (NIS) scan result (not supported in Forefront TMG Medium Business Edition).
32 IPS Signature ipsSignature IPS signature The Network Inspection System (NIS) signature (not supported in Forefront TMG Medium Business Edition).
33 Threat Name ThreatName ThreatName The name of the threat found by malware inspection.
34 Malware Inspection Action MalwareInspectionAction MalwareInspectionAction The type of action performed on an HTTP response during malware inspection. The possible values are defined in the FpcMalwareInspectionAction enumerated type. Note that strings representing these values are displayed in the log viewer.
35 Malware Inspection Result MalwareInspectionResult MalwareInspectionResult The reason for the action performed on an HTTP response during malware inspection. The possible values are defined in the FpcMalwareInspectionActionReason enumerated type. Note that strings representing these values are displayed in the log viewer.
36 URL Category UrlCategory UrlCategory The URL category (not supported in Forefront TMG Medium Business Edition).
37 Content Delivery Method MalwareInspectionContentDeliveryMethod MalwareInspectionContentDeliveryMethod The content delivery method used during malware inspection. The possible values are defined in the FpcMalwareInspectionContentDeliveryMethod enumerated type. Note that strings representing these values are displayed in the log viewer.
38 UAG Array Id UagArrayId mi-uagarrayid The Forefront Unified Access Gateway (UAG) array identifier (not supported in Forefront TMG Medium Business Edition).
39 UAG Version UagVersion sc-uagversion The Forefront UAG version number (not supported in Forefront TMG Medium Business Edition).
40 UAG Module Id UagModuleId mi-uagmoduleid The identifier of the Forefront UAG module (not supported in Forefront TMG Medium Business Edition).
41 UAG Id UagId sc-uagid The Forefront UAG identifier (not supported in Forefront TMG Medium Business Edition).
42 UAG Severity UagSeverity mi-uagseverity The Forefront UAG array identifier (not supported in Forefront TMG Medium Business Edition).
43 UAG Type UagType mi-uagtype The Forefront UAG type (not supported in Forefront TMG Medium Business Edition).
44 UAG Event Name UagEventName sc-uageventname The identifying number of the Forefront UAG event (not supported in Forefront TMG Medium Business Edition).
45 UAG Session Id UagSessionId mi-uagsessionid The Forefront UAG session identifier (not supported in Forefront TMG Medium Business Edition).
46 UAG Trunk Name UagTrunkName mi-uagtrunkname The name of the Forefront UAG trunk (not supported in Forefront TMG Medium Business Edition).
47 UAG Service Name UagServiceName mi-uagservicename The name of the Forefront UAG service (not supported in Forefront TMG Medium Business Edition).
48 UAG Error Code UagErrorCode sc-uagerrorcode The Forefront UAG error code (not supported in Forefront TMG Medium Business Edition).
49 Malware Inspection Duration (msec) MalwareInspectionDuration MalwareInspectionDuration The time, in milliseconds, needed to inspect the content of an HTTP response for malware.
50 Threat Level MalwareInspectionThreatLevel MalwareInspectionThreatLevel The threat level of malware detected during malware inspection. The possible values are defined in the FpcMalwareInspectionThreatLevel enumerated type. Note that strings representing these values are displayed in the log viewer.

Object Source Values

Source values Description
0 No source information is available.
Cache Source is the cache. Object returned from cache.
Internet Source is the Internet. Object added to cache.
Member Object returned from another array member.
Not Modified Source is the cache. Client performed an If-Modified-Since request, and object had not been modified.
Not Verified Cache Source is the cache. Object could not be verified to source.
Upstream Object returned from an upstream proxy cache.
Verified Cache Source is the cache. Object was verified to source and had not been modified.
Verify Failed Internet Source is the Internet. Cached object was verified to source and had been modified.

Result Code Values

Value Description
        0 The operation completed successfully.
    200 OK.
    201 Created.
    202 Accepted.
    204 No content.
    301 Moved permanently.
    302 Moved temporarily.
    304 Not modified.
    400 Bad request.
    401 Unauthorized.
    403 Forbidden.
    404 Not found.
    500 Server error.
    501 Not implemented.
    502 Bad gateway.
    503 Out of resources.
    995 Operation aborted.
10060 A connection timed out.
10061 A connection was refused by the destination host.
10065 No route to host.
11001 Host not found.
12217 The request was rejected by HTTP Filter.

Cache Information Values

Value Description
0x00000001 Request should not be served from the cache.
0x00000002 Request includes the IF-MODIFIED-SINCE header.
0x00000004 Request includes one of these headers: CACHE-CONTROL:NO-CACHE or PRAGMA:NO-CACHE.
0x00000008 Request includes the AUTHORIZATION header.
0x00000010 Request includes the VIA header.
0x00000020 Request includes the IF-MATCH header.
0x00000040 Request includes the RANGE header.
0x00000080 Request includes the CACHE-CONTROL: NO-STORE header.
0x00000100 Request includes the CACHE-CONTROL: MAX-AGE, or CACHE-CONTROL: MAX-STALE, or CACHE-CONTROL: MIN-FRESH header.
0x00000200 Cache could not be updated.
0x00000400 IF-MODIFIED-SINCE time specified in the request is newer than cached LASTMODIFIED time.
0x00000800 Request includes the CACHE-CONTROL: ONLY-IF-CACHED header.
0x00001000 Request includes the IF-NONE-MATCH header.
0x00002000 Request includes the IF-UNMODIFIED-SINCE header.
0x00004000 Request includes the IF-RANGE header.
0x00008000 More than one VARY header.
0x00010000 Response includes the CACHE-CONTROL: PUBLIC header.
0x00020000 Response includes the CACHE-CONTROL: PRIVATE header.
0x00040000 Response includes the CACHE-CONTROL: NO-CACHE or PRAGMA: NO-CACHE header.
0x00080000 Response includes the CACHE-CONTROL: NO-STORE header.
0x00100000 Response includes either the CACHE-CONTROL: MUST-REVALIDATE or CACHE-CONTROL: PROXY-REVALIDATE header.
0x00200000 Response includes the CACHE-CONTROL: MAX-AGE or S-MAXAGE header.
0x00400000 Response includes the VARY header.
0x00800000 Response includes the LAST-MODIFIED header.
0x01000000 Response includes the EXPIRES header.
0x02000000 Response includes the SET-COOKIE header.
0x04000000 Response includes the WWW-AUTHENTICATE header.
0x08000000 Response includes the VIA header.
0x10000000 Response includes the AGE header.
0x20000000 Response includes the TRANSFER-ENCODING header.
0x40000000 Response should not be cached.

Error Information Bit Fields

Value Descriptive code Description
0x00000001 ERROR_INFO_IO_RECV_FROM_CLIENT An error occurred during the receipt of packets from the client.
0x00000002 ERROR_INFO_IO_SEND_TO_CLIENT An error occurred during the sending of packets to the client.
0x00000004 ERROR_INFO_IO_SEND_TO_SERVER An error occurred during the sending of packets to the server.
0x00000008 ERROR_INFO_IO_RECV_FROM_SERVER An error occurred during the receipt of packets from the server.
0x00000010 ERROR_INFO_DEST_IS_MEMBER -
0x00000020 ERROR_INFO_CLIENT_IS_MEMBER -
0x00000040 ERROR_INFO_DURING_CONNECT An error occurred during the establishment of a connection.
0x00000080 ERROR_INFO_CLIENT_KA A Keep-Alive connection was established with the client.
0x00000100 ERROR_INFO_SERVER_KA A Keep-Alive connection was established with the upstream server.
0x00000200 ERROR_INFO_REQUEST_HAS_BODY The request from the client includes a body (with a nonzero content length).
0x00000400 ERROR_INFO_RESPONSE_HAS_BODY The response received from the server includes a body (with a nonzero content length).
0x00000800 ERROR_INFO_IP_FROM_DNS_CACHE Name resolution was performed using the DNS cache.

See Also

Log Fields


Send comments about this topic to Microsoft

Build date: 11/30/2009

© 2008 Microsoft Corporation. All rights reserved.