Forefront Unified Access Gateway (UAG) can log events to a SQL Server database using the Forefront TMG logging mechanism (by default Forefront TMG is installed on the Forefront UAG server). Events can be logged to a local SQL Server Express database running on the Forefront UAG server, or to a remote SQL Server database. Forefront UAG events are logged to the Forefront TMG Web Proxy log. When configuring SQL Server logging in the Forefront TMG Management console, you can specify which log fields should be written to the SQL Server log. For instructions, see Logging to a SQL Server. This reference topic provides information about the fields available in the Forefront TMG Web proxy log.

Forefront TMG log fields

Log fields consists of the default Forefront TMG Web proxy logs fields, and a number of Forefront UAG-specific log fields. For a complete list of Forefront TMG log fields, see Web proxy log fields in the Forefront TMG TechNet library. Forefront TMG log fields, and specific Forefront UAG log fields, are summarized in the table below.

# Field name (log viewer) Field name (SQL Server log) Details

1

Server Name

servername

The name of the Forefront UAG server assigned in operating system settings.

2

Log Date

logTime

The date on which the logged event occurred. In SQL Server format, both the date and the local time are included in the single logTime field.

3

Log Time

logTime

In the SQL Server format both the date and the time are included in the single logTime field.

4

Client IP and Port

Source IP; SourcePort

The IP address of the requesting client and the source port used. In SQL Server forms, there are separate SourceIP and SourcePort fields to allow individual querying. For ICMP packets, the port field indicates the ICMP type.

5

Destination IP and Port

DestinationIP; DestinationPort

The network IP address and the port number on the target computer that provides service to the current connection. The port number is used by the client application initiating the request. In SQL Server format, there are separate DestinationIP and DestinationPort fields to allow individual querying. For ICMP packets, the port field indicates the ICMP code.

6

Rule

Rule

The Forefront TMG rule that either allowed or denied access to the request.

7

Bytes Sent

bytessent

The total number of bytes sent from the client to the destination host during the current connection. A hyphen (-) or a zero (0) in this field indicates that this information was not provided by the destination host or that no bytes were sent to the destination host.

8

Bytes Received

bytesrecvd

The total number of bytes sent from the remote computer and received by the client during the current connection. A hyphen (-) or a zero (0) in this field indicates that this information was not provided by the remote computer or that no bytes were received from the remote computer.

9

Destination Host Name

DestinationName

The domain name for the remote computer that provides service to the current connection.

10

Client User Name

ClientUserName

The account of the user making the request. A question mark (?) next to the user name indicates that the user name was sent but the user was not authenticated by Forefront TMG. If Forefront TMG access control is not being used, Forefront TMG uses Anonymous.

11

HTTP Method

Operation

The HTTP method of the operation (if applicable).

12

URL

Url

Session URL (if applicable).

13

Filter Information

FilterInfo

The full text of the Forefront UAG error message.

14

Authentication Server

AuthenticationServer

The authentication server used by Forefront UAG for the session (if applicable)

15

UAG Array ID

UAGArrayId

The array name of the Forefront UAG server (if applicable).

16

UAG Module ID

UAGModuleID

The Forefront UAG module ID (in Administrative Password Change message).

17

UAG Severity

UAGSeverity

The severity of the Forefront UAG log message (Error, Information, Warning, etc.).

18

UAG Type

UagType

The type or scope of the Forefront UAG log message (System, Session, Security).

19

Uag Session ID

UagSessionID

The ID of session messages.

20

Uag Trunk Name

UagTrunkName

The name of the trunk that handled the session.

21

Uag Service Name

UagServiceName

The Forefront UAG service name (that appears in service startup and stop messages).

22

Uag Error Code

UagErrorCode

The message ID of the Forefront UAG log message.

SQL fields for Forefront UAG DirectAccess user logging

Forefront UAG DirectAccess logging fields are summarized in the table below.

# Field Name (log viewer) Field Name (SQL server log) Details

1

Log Date

logTime

The datetime when the logged event occurred.

2

Client IP and Port

SourceIP

The IPv6 address of the DA client

3

Rule

Rule

Client machine name

4

Client Username

ClientUserName

User name

5

HTTP Method

Operation

The HTTP method of the operation (if applicable).

6

URL

Url

Presented cert

7

Filter Information

FilterInfo

The full text of the UAG error message.

8

Authentication Server

AuthenticationServer

The authentication server Forefront UAG works with in this session (if applicable).

9

Uag Array Id

UagArrayId

The array name of this Forefront UAG server (if applicable).

10

Uag Module Id

UagModuleId

Status of the session: connected/managed

11

Uag Severity

UagSeverity

The severity of the Forefront UAG log message (Error, Information, Warning, etc.)

12

Uag Type

UagType

The type/scope of the Forefront UAG log message (System, Session, Security, etc.)

13

Uag Session ID

UagSessionID

An identifier that identifies a session's messages.

14

Uag Service Name

UagServiceName

The Forefront UAG service name (in service start-up/shut down messages).

15

Uag Error Code

UagErrorCode

The message ID of the Forefront UAG log message.