Firewall Log Fields

The following table lists the log fields that can be included in Firewall service log entries by setting the corresponding character in the string held in the LogFieldSelectionString property of the FPCLog object for Firewall service logging.

The bit numbers listed in this table correspond to the zero-based numbers of the characters in the string held in the LogFieldSelectionString property.

Bit numberField name (Log Viewer)Field name (SQL Server Express databases)Field name (W3C files)Description
  0Server NameservernamecomputerThe name of the Forefront TMG computer. This is the computer name assigned in Microsoft Windows.
  1Log DatelogTimedateThe date on which the logged event occurred. In the SQL Server Express format, both the date and the local time are included in the single logTime field, and the bits for both the date and time fields must be set.
  2Log TimelogTimetimeThe local time when the logged event occurred. In the W3C extended file format and in ODBC-compliant SQL Server databases, this time is in Coordinated Universal Time (UTC). In the SQL Server Express format, both the date and the local time are included in the single logTime field, and the bits for both the date and time fields must be set.
  3TransportprotocolIP ProtocolThe transport protocol used for the connection. Common values are TCP and UDP.
  4Client IP and PortSourceIP

SourcePort

sourceThe IP address of the requesting client and the source port used. In SQL Server Express format, there are separate SourceIP and SourcePort fields to allow individual querying. For ICMP packets, the additional field indicates the ICMP type.
  5Destination IP and PortDestinationIP

DestinationPort

destinationThe network IP address and the reserved port number on the remote computer that provides service to the current connection. The port number is used by the client application initiating the request. In SQL Server Express format, there are separate DestinationIP and DestinationPort fields to allow individual querying. For ICMP packets, the additional field indicates the ICMP code.
  6Original Client IPOriginalClientIPoriginal client IPThe original IP address of the requesting client.
  7Source NetworkSourceNetworksource networkThe network from which the request originated.
  8Destination NetworkDestinationNetworkdestination networkThe network to which the request was sent.
  9ActionActionactionThe action performed by the Microsoft Firewall service for the current session or connection. The possible values are defined in the FpcAction enumerated type.
10Result CoderesultcodestatusA Windows error code or a Forefront TMG error code in HRESULT format. For more information about Forefront TMG error codes, see Error Codes.
11RuleRuleruleThe rule that either allowed or denied access to the request, as follows:
  • If an outgoing request was allowed, this field reflects the access rule that allowed the request.
  • If an outgoing request was denied, this field reflects the access rule that blocked the request.
  • If an incoming request was denied, this field reflects the Web publishing or server publishing rule that denied the request.
  • If no rule specifically allowed the outgoing or incoming request, the request is denied. In this case, the field is empty.
12ProtocolApplicationProtocolapplication protocolThe name of the application protocol used for the connection as defined in the collection of protocol definitions.
13BidirectionalBidirectionalbidirectionalA value from the FpcBidirectional enumerated type that indicates whether the connection was bidirectional.
14Bytes Sentbytessentbytes sentThe total number of bytes sent from the client to the destination host during the current connection. A hyphen (-), a zero (0), or a negative number in this field indicates that this information was not provided by the destination host or that no bytes were sent to the destination host.
15Bytes Sent DeltabytessentDeltabytes sent intermediateThe number of bytes sent from the client to the destination host since the previous log entry for the current connection. A hyphen (-), a zero (0), or a negative number in this field indicates that this information was not provided by the destination host or that no bytes were sent to the destination host.
16Bytes Receivedbytesrecvdbytes receivedThe total number of bytes sent from the remote computer and received by the client during the current connection. A hyphen (-), a zero (0), or a negative number in this field indicates that this information was not provided by the remote computer or that no bytes were received from the remote computer.
17Bytes Received DeltabytesrecvdDeltabytes received intermediateThe number of bytes sent from the remote computer and received by the client since the previous log entry for the current connection. A hyphen (-), a zero (0), or a negative number in this field indicates that this information was not provided by the remote computer or that no bytes were received from the remote computer.
18Processing TimeConnectionTimeconnection timeThe total time, in milliseconds, that was needed by Forefront TMG to process the current connection. It measures the time elapsed from the time when the Forefront TMG computer first received the request to the time when final processing occurred on the Forefront TMG computer—when results were returned to the client and the connection was closed.
19Processing Time DeltaconnectiontimeDeltaconnection time intermediateThe time, in milliseconds, that has elapsed since the previous log entry for the current connection.
20Source Proxy (deprecated in Forefront TMG)SourceProxysource proxyThe name of the source proxy server.
21Destination Proxy (deprecated in Forefront TMG)DestinationProxydestination proxyThe name of the destination proxy server.
22Client Host Name (deprecated in Forefront TMG)SourceNameSource NameThe name of the source host.
23Destination Host NameDestinationNamedestination nameThe domain name for the remote computer that provides service to the current connection.
24Client UsernameClientUserNameusernameThe account of the user making the request. A question mark (?) next to the user name indicates that the user name was sent but the user was not authenticated by Forefront TMG. If Forefront TMG access control is not being used, Forefront TMG uses Anonymous.
25Client AgentClientAgentagentThe name and version of the operating system that is running on the Forefront TMG Client or Firewall Client computer that created the session, as indicated by the Hypertext Transfer Protocol (HTTP) User-Agent header sent by the client's browser application. This field is not applicable to SecureNAT sessions.

For the supported strings, see Client Agent Values. A User-Agent header that is not supported is regarded as an unknown operating system.

26Session IDsessionidSession IDAn identifier that identifies a session's connections. For Forefront TMG Client and Firewall Client computers, each process that connects through the Microsoft Firewall service initiates a session. For SecureNAT clients, a single session is opened for all the connections that originate from the same IP address.
27Connection IDconnectionidConnection IDAn identifier that identifies entries belonging to the same socket. Outbound TCP usually has two entries for each connection: when the connection is established and when the connection is terminated. UDP usually has two entries for each remote address.
28Network InterfaceInterfaceinterfaceThe network adapter with which the connection was established on the Forefront TMG computer.
29Raw IP HeaderIPHeaderIP headerThe IP header of the current packet. Information is supplied to this field only for packets that are denied passage and are dropped by Forefront TMG.
30Raw PayloadPayloadprotocol payloadThe protocol header of the current packet. Information is supplied to this field only for packets that are denied passage and are dropped by Forefront TMG.
31GMT Log TimeGmtLogTimeGMT TimeThe date and time in Coordinated Universal Time (UTC) when the log entry was made.
32NIS Scan ResultipsScanResultNIS scan resultThe Network Inspection System (NIS) scan result. The possible values are defined in the FpcIpsScanResult enumerated type. Note that strings representing these values are displayed in the log viewer.
33NIS SignatureipsSignatureNIS signatureThe NIS signature detected or used as a basis for blocking the traffic.
34NAT AddressNAT AddressNAT AddressThe public NAT IP address used as the source IP address for outbound traffic.
35Forefront TMG Client FDQNFwcClientFqdnfwc-client-fqdnThe FQDN of the client computer for a Forefront TMG Client or Firewall Client connection.
36Forefront TMG Client Application PathFwcAppPathfwc-app-pathThe full path of the client application for a Forefront TMG Client or Firewall Client connection.
37Firewall Client Application SHA1 HashFwcAppSHA1Hashfwc-app-sha1-hashThe SHA1 hash value that is calculated for the executable file of the client application and used by Forefront TMG Client or Firewall Client to request a network connection.
38Forefront TMG Client Application trust stateFwcAppTrusStatefwc-app-trust-stateA value that indicates whether the client application is trusted by the operating system running on the client computer. The possible values are defined in the FpcFwcClientApplicationTrustState enumerated type. Note that strings representing these values are displayed in the log viewer.
39Forefront TMG Client Application Internal NameFwcAppInternalNamefwc-app-internal-nameThe internal name of the client application.
40Forefront TMG Client Application Product NameFwcAppProductNamefwc-app-product-nameThe product name of the client application.
41Forefront TMG Client Application Product VersionFwcAppProductVersionfwc-app-product-versionThe product verison of the client application.
42Forefront TMG Client Application File VersionFwcAppFileVersionfwc-app-file-vrsionThe file version of the client application.
43Forefront TMG Client Application Original File NameFwcAppOrgFileNamefwc-app-original-file-nameThe original name of the client application.
44Internal Service Info Log FieldsInternalServiceInfointernal-service-infoThe information generated by internal services.
45NIS Application ProtocolipsApplicationProtocolNIS application protocolThe application protocol in which NIS detected the signature.
46Forefront TMG Client Version FwcVersionfwc-versionThe version of Forefront TMG Client.

 

Client Agent Values

User-Agent headerClient Agent value
Windows NT 5.2Windows Server 2003
Windows NT 5.1Windows XP
windows nt 5Windows 2000
windows 2000Windows 2000
win2000Windows 2000
winntWindows NT
windows ntWindows NT
win98Windows 98
windows 98Windows 98
win95Windows 95
windows 95Windows 95
win32Windows 32-bit
win16Windows 16-bit
windows ceWindows CE
windowsWindows
aixaix
amigaamiga
hphp
irixirix
linuxlinux
macmac
solarissolaris
sunsun
unixunix
vaxvax

 

Related topics

Log Fields

 

 

Build date: 7/12/2010

Show: