Forefront Unified Access Gateway (UAG) can log events to a SQL Server database using the Forefront TMG logging mechanism (by default Forefront TMG is installed on the Forefront UAG server). Events can be logged to a local SQL Server Express database running on the Forefront UAG server, or to a remote SQL Server database. Forefront UAG events are logged to the Forefront TMG Web Proxy log. When configuring SQL Server logging in the Forefront TMG Management console, you can specify which log fields should be written to the SQL Server log. For instructions, see Logging to a SQL Server. This reference topic provides information about the fields available in the Forefront TMG Web proxy log.
Forefront TMG log fields
Log fields consists of the default Forefront TMG Web proxy logs fields, and a number of Forefront UAG-specific log fields. For a complete list of Forefront TMG log fields, see Web proxy log fields in the Forefront TMG TechNet library. Forefront TMG log fields, and specific Forefront UAG log fields, are summarized in the table below.
| # | Field name (log viewer) | Field name (SQL Server log) | Details |
|---|---|---|---|
|
1 |
Server Name |
servername |
The name of the Forefront UAG server assigned in operating system settings. |
|
2 |
Log Date |
logTime |
The date on which the logged event occurred. In SQL Server format, both the date and the local time are included in the single logTime field. |
|
3 |
Log Time |
logTime |
In the SQL Server format both the date and the time are included in the single logTime field. |
|
4 |
Client IP and Port |
Source IP; SourcePort |
The IP address of the requesting client and the source port used. In SQL Server forms, there are separate SourceIP and SourcePort fields to allow individual querying. For ICMP packets, the port field indicates the ICMP type. |
|
5 |
Destination IP and Port |
DestinationIP; DestinationPort |
The network IP address and the port number on the target computer that provides service to the current connection. The port number is used by the client application initiating the request. In SQL Server format, there are separate DestinationIP and DestinationPort fields to allow individual querying. For ICMP packets, the port field indicates the ICMP code. |
|
6 |
Rule |
Rule |
The Forefront TMG rule that either allowed or denied access to the request. |
|
7 |
Bytes Sent |
bytessent |
The total number of bytes sent from the client to the destination host during the current connection. A hyphen (-) or a zero (0) in this field indicates that this information was not provided by the destination host or that no bytes were sent to the destination host. |
|
8 |
Bytes Received |
bytesrecvd |
The total number of bytes sent from the remote computer and received by the client during the current connection. A hyphen (-) or a zero (0) in this field indicates that this information was not provided by the remote computer or that no bytes were received from the remote computer. |
|
9 |
Destination Host Name |
DestinationName |
The domain name for the remote computer that provides service to the current connection. |
|
10 |
Client User Name |
ClientUserName |
The account of the user making the request. A question mark (?) next to the user name indicates that the user name was sent but the user was not authenticated by Forefront TMG. If Forefront TMG access control is not being used, Forefront TMG uses Anonymous. |
|
11 |
HTTP Method |
Operation |
The HTTP method of the operation (if applicable). |
|
12 |
URL |
Url |
Session URL (if applicable). |
|
13 |
Filter Information |
FilterInfo |
The full text of the Forefront UAG error message. |
|
14 |
Authentication Server |
AuthenticationServer |
The authentication server used by Forefront UAG for the session (if applicable) |
|
15 |
UAG Array ID |
UAGArrayId |
The array name of the Forefront UAG server (if applicable). |
|
16 |
UAG Module ID |
UAGModuleID |
The Forefront UAG module ID (in Administrative Password Change message). |
|
17 |
UAG Severity |
UAGSeverity |
The severity of the Forefront UAG log message (Error, Information, Warning, etc.). |
|
18 |
UAG Type |
UagType |
The type or scope of the Forefront UAG log message (System, Session, Security). |
|
19 |
Uag Session ID |
UagSessionID |
The ID of session messages. |
|
20 |
Uag Trunk Name |
UagTrunkName |
The name of the trunk that handled the session. |
|
21 |
Uag Service Name |
UagServiceName |
The Forefront UAG service name (that appears in service startup and stop messages). |
|
22 |
Uag Error Code |
UagErrorCode |
The message ID of the Forefront UAG log message. |
SQL fields for Forefront UAG DirectAccess user logging
Forefront UAG DirectAccess logging fields are summarized in the table below.
| # | Field Name (log viewer) | Field Name (SQL server log) | Details |
|---|---|---|---|
|
1 |
Log Date |
logTime |
The datetime when the logged event occurred. |
|
2 |
Client IP and Port |
SourceIP |
The IPv6 address of the DA client |
|
3 |
Rule |
Rule |
Client machine name |
|
4 |
Client Username |
ClientUserName |
User name |
|
5 |
HTTP Method |
Operation |
The HTTP method of the operation (if applicable). |
|
6 |
URL |
Url |
Presented cert |
|
7 |
Filter Information |
FilterInfo |
The full text of the UAG error message. |
|
8 |
Authentication Server |
AuthenticationServer |
The authentication server Forefront UAG works with in this session (if applicable). |
|
9 |
Uag Array Id |
UagArrayId |
The array name of this Forefront UAG server (if applicable). |
|
10 |
Uag Module Id |
UagModuleId |
Status of the session: connected/managed |
|
11 |
Uag Severity |
UagSeverity |
The severity of the Forefront UAG log message (Error, Information, Warning, etc.) |
|
12 |
Uag Type |
UagType |
The type/scope of the Forefront UAG log message (System, Session, Security, etc.) |
|
13 |
Uag Session ID |
UagSessionID |
An identifier that identifies a session's messages. |
|
14 |
Uag Service Name |
UagServiceName |
The Forefront UAG service name (in service start-up/shut down messages). |
|
15 |
Uag Error Code |
UagErrorCode |
The message ID of the Forefront UAG log message. |