Windows apps
Collapse the table of content
Expand the table of content

Web Proxy Log Fields

The following table lists the log fields that can be included in Forefront TMG Web proxy log entries by setting the corresponding character in the string held in the LogFieldSelectionString property of the FPCLog object for Web proxy logging.

The bit numbers listed in this table, which are based on the numbering system that was used in the LogFieldSelection property, correspond to the zero-based numbers of the characters in the string held in the LogFieldSelectionString property.

Bit numberField name (log viewer)Field name (SQL Server Express databases)Field name (W3C files)Description
  0Client IPClientIPc-ipThe IP address of the requesting client.
  1Client UsernameClientUserNamecs-usernameThe account of the user making the request. A question mark (?) next to the user name indicates that the user name was sent but the user was not authenticated by Forefront TMG. If Forefront TMG access control is not being used, Forefront TMG uses Anonymous.
  2Client AgentClientAgentc-agentThe name and version of the client application sent by the client in the HTTP User-Agent header. When Forefront TMG is actively caching, this field is set to Forefront TMG.
  3Authenticated ClientClientAuthenticatesc-authenticatedA value that indicates whether the client has been authenticated with the Forefront TMG computer. Possible values are Y and N.
  4Log DatelogTimedateThe date on which the logged event occurred. In the SQL Server Express format, both the date and the local time are included in the single logTime field, and the bits for both the date and time fields must be set.
  5Log TimelogTimetimeThe local time when the logged event occurred. In the W3C extended file format and in ODBC-compliant SQL Server databases, this time is in Coordinated Universal Time (UTC). In the SQL Server Express format, both the date and the local time are included in the single logTime field, and the bits for both the date and time fields must be set.
  6Serviceservices-svcnameThe name of the service that is logged. For example, fwsrv indicates the Microsoft Firewall service.
  7Server Nameservernames-computernameThe name of the Forefront TMG computer. This is the computer name assigned in Windows Server 2008.
  8Referring Serverreferredservercs-referredThe URL of the resource that supplied the requested URL to the client, as indicated in the Referrer header of the request.
  9Destination Host NameDestHostr-hostThe domain name for the remote computer that provides service to the current connection. A hyphen (-) in this field may indicate that an object was retrieved from the local cache and not from the destination.
10Destination IPDestHostIPr-ipThe network IP address of the remote computer that provides service to the current connection. A hyphen (-) in this field may indicate that an object was sourced from the local cache and not from the destination. One exception is negative caching. In that case, this field contains a destination IP address for which a negative cached object was returned.
11Destination PortDestHostPortr-portThe reserved port number on the remote computer that provides service to the current connection. This is used by the client application initiating the request.
12Processing Timeprocessingtimetime-takenThe total time, in milliseconds, that is needed by Forefront TMG to process the current connection. It measures the time elapsed from the time when the server first receives the request to the time when final processing occurs on the server—when results are returned to the client and the connection is closed.

For cache requests that are processed through the Forefront TMG Web proxy, the processing time measures the elapsed server time needed to fully process a client request and return an object from the server cache to the client.

13Bytes Receivedbytesrecvdcs-bytesThe number of bytes sent from the remote computer and received by the client during the current connection. A hyphen (-), a zero (0), or a negative number in this field indicates that this information was not provided by the remote computer or that no bytes were received from the remote computer.
14Bytes Sentbytessentsc-bytesThe number of bytes sent from the client to the remote computer during the current connection. A hyphen (-), a zero (0), or a negative number in this field indicates that this information was not provided by the remote computer or that no bytes were sent to the remote computer.
15Protocolprotocolcs-protocolThe application protocol used for the connection. Common values are http for Hypertext Transfer Protocol, https for Secure HTTP, and ftp for File Transfer Protocol.
16Transporttransportcs-transportThe transport protocol used for the connection. Common values are TCP and UDP.
17HTTP Methodoperations-operationThe HTTP method used. Common values are GET, PUT, POST, and HEAD.
18URLurics-uriThe URL requested.
19MIME Typemimetypecs-mime-typeThe MIME type for the current object. This field may also contain a hyphen (-) to indicate that this field is not used or that a valid MIME type was not defined or supported by the remote computer.
20Object Sourceobjectsources-object-sourceThe type of source that was used to retrieve the current object. A table of some possible values is provided in Object Source Values.
21HTTP Status Coderesultcodesc-statusA Windows (Win32) error code (for values less than 100), an HTTP status code (for values between 100 and 1,000), a Winsock error code (for values between 10,004 and 11,031), or a Forefront TMG error code. A table of some possible values is provided in Result Code Values. For more information about Forefront TMG error codes, see Error Codes.
22Cache InformationCacheInfos-cache-infoA number reflecting the cache status of the object, which indicates the reasons why the object was or was not cached. The number logged is the sum of the values for all the conditions that are met. A table of the possible values is provided in Cache Information Values.
23RuleRuleruleThe rule that either allowed or denied access to the request, as follows:

  • If an outgoing request was allowed, this field indicates the access rule that allowed the request.
  • If an outgoing request was denied by a policy rule, this field indicates the access rule that blocked the request.
  • If an incoming request was denied by a policy rule, this field indicates the Web publishing or server publishing rule that denied the request.
  • If Forefront TMG denied the connection for any reason other than a policy rule, this field contains a hyphen (-), and the Result Code field indicates the reason.
24Filter InformationFilterInfoFilterInfoInformation supplied by a Web filter. For example, if HTTP Filter rejected a request, this field contains the reason for the rejection.
25Source NetworkSrcNetworkcs-networkThe network from which the request originated.
26Destination NetworkDstNetworksc-networkThe network to which the request was sent.
27Error InformationErrorInfoerror-infoA 32-bit bitmask that provides additional information about the request that can help identify the source of the error if an error occurred. A table of the possible bit fields is provided in Error Information Bit Fields.
28ActionActionactionThe action performed by the Microsoft Firewall service for the current session or connection. The possible values are defined in the FpcAction enumerated type. Note that strings representing these values are displayed in the log viewer.
29GMT Log TimeGmtLogTimeGMT TimeThe date and time in Coordinated Universal Time (UTC) when the log entry was made.
30Authentication ServerAuthenticationServerAuthenticationServerThe name of the LDAP server or RADIUS server that was used for authentication.
31NIS Scan ResultipsScanResultNIS scan resultThe Network Inspection System (NIS) scan result. The possible values are defined in the FpcIpsScanResult enumerated type. Note that strings representing these values are displayed in the log viewer.
32NIS SignatureipsSignatureNIS signatureThe NIS signature detected or used as a basis for blocking the traffic.
33Threat NameThreatNameThreatNameThe name of the threat found by malware inspection.
34Malware Inspection ActionMalwareInspectionActionMalwareInspectionActionThe type of action performed on an HTTP response during malware inspection. The possible values are defined in the FpcMalwareInspectionAction enumerated type. Note that strings representing these values are displayed in the log viewer.
35Malware Inspection ResultMalwareInspectionResultMalwareInspectionResultThe reason for the action performed on an HTTP response during malware inspection. The possible values are defined in the FpcMalwareInspectionActionReason enumerated type. Note that strings representing these values are displayed in the log viewer.
36URL CategoryUrlCategoryUrlCategoryThe URL category.
37Content Delivery MethodMalwareInspectionContentDeliveryMethodMalwareInspectionContentDeliveryMethodThe content delivery method used during malware inspection. The possible values are defined in the FpcMalwareInspectionContentDeliveryMethod enumerated type. Note that strings representing these values are displayed in the log viewer.
38UAG Array IdUagArrayIdmi-uagarrayidThe Forefront Unified Access Gateway (UAG) array identifier.
39UAG VersionUagVersionsc-uagversionThe Forefront UAG version number.
40UAG Module IdUagModuleIdmi-uagmoduleidThe identifier of the Forefront UAG module.
41UAG IdUagIdsc-uagidThe Forefront UAG identifier.
42UAG SeverityUagSeveritymi-uagseverityThe Forefront UAG array identifier.
43UAG TypeUagTypemi-uagtypeThe Forefront UAG type.
44UAG Event NameUagEventNamesc-uageventnameThe identifying number of the Forefront UAG event.
45UAG Session IdUagSessionIdmi-uagsessionidThe Forefront UAG session identifier.
46UAG Trunk NameUagTrunkNamemi-uagtrunknameThe name of the Forefront UAG trunk.
47UAG Service NameUagServiceNamemi-uagservicenameThe name of the Forefront UAG service.
48UAG Error CodeUagErrorCodesc-uagerrorcodeThe Forefront UAG error code.
49Malware Inspection Duration (msec)MalwareInspectionDurationMalwareInspectionDurationThe time, in milliseconds, needed to inspect the content of an HTTP response for malware.
50Threat LevelMalwareInspectionThreatLevelMalwareInspectionThreatLevelThe threat level of malware detected during malware inspection. The possible values are defined in the FpcMalwareInspectionThreatLevel enumerated type. Note that strings representing these values are displayed in the log viewer.
51Internal Service Info Log FieldsInternalServiceInfointernal-service-infoThe information generated by internal services.
52NIS Application ProtocolipsApplicationProtocolNIS application protocolThe application protocol in which NIS detected the signature.
53NAT AddressNAT AddressNAT AddressThe public NAT IP address used as the source IP address for outbound traffic.
54URL Categorization ReasonUrlCategorizationReasonUrlCategorizationReasonThe reason for the URL categorization. The possible values are defined in the FpcUrlCategorizationReason enumerated type. Note that strings representing these values are displayed in the log viewer.
55Session TypeSessionTypeSessionTypeThe type of session. The possible values are defined in the FpcSessionType enumerated type. Note that strings representing these values are displayed in the log viewer.
56URL Destination Host NameUrlDestHostUrlDestHostThe destination host name in the URL.
57Source PortSrcPorts-portThe source port.
58Soft Blocking RuleSoftBlockActionSoftBlockActionThe name of the first matching deny rule that can be overridden by the user.

Object Source Values

Source valuesDescription
0No source information is available.
CacheSource is the cache. Object returned from cache.
InternetSource is the Internet. Object added to cache.
MemberObject returned from another array member.
Not ModifiedSource is the cache. Client performed an If-Modified-Since request, and object had not been modified.
Not Verified CacheSource is the cache. Object could not be verified to source.
UpstreamObject returned from an upstream proxy cache.
Verified CacheSource is the cache. Object was verified to source and had not been modified.
Verify Failed InternetSource is the Internet. Cached object was verified to source and had been modified.

Result Code Values

ValueDescription
        0The operation completed successfully.
    200OK.
    201Created.
    202Accepted.
    204No content.
    301Moved permanently.
    302Moved temporarily.
    304Not modified.
    400Bad request.
    401Unauthorized.
    403Forbidden.
    404Not found.
    500 Server error.
    501Not implemented.
    502Bad gateway.
    503Out of resources.
    995Operation aborted.
10060A connection timed out.
10061A connection was refused by the destination host.
10065No route to host.
11001Host not found.
12217The request was rejected by HTTP Filter.

Cache Information Values

ValueDescription
0x00000001Request should not be served from the cache.
0x00000002Request includes the IF-MODIFIED-SINCE header.
0x00000004Request includes one of these headers: CACHE-CONTROL:NO-CACHE or PRAGMA:NO-CACHE.
0x00000008Request includes the AUTHORIZATION header.
0x00000010Request includes the VIA header.
0x00000020Request includes the IF-MATCH header.
0x00000040Request includes the RANGE header.
0x00000080Request includes the CACHE-CONTROL: NO-STORE header.
0x00000100Request includes the CACHE-CONTROL: MAX-AGE, or CACHE-CONTROL: MAX-STALE, or CACHE-CONTROL: MIN-FRESH header.
0x00000200Cache could not be updated.
0x00000400IF-MODIFIED-SINCE time specified in the request is newer than cached LASTMODIFIED time.
0x00000800Request includes the CACHE-CONTROL: ONLY-IF-CACHED header.
0x00001000Request includes the IF-NONE-MATCH header.
0x00002000Request includes the IF-UNMODIFIED-SINCE header.
0x00004000Request includes the IF-RANGE header.
0x00008000More than one VARY header.
0x00010000Response includes the CACHE-CONTROL: PUBLIC header.
0x00020000Response includes the CACHE-CONTROL: PRIVATE header.
0x00040000Response includes the CACHE-CONTROL: NO-CACHE or PRAGMA: NO-CACHE header.
0x00080000Response includes the CACHE-CONTROL: NO-STORE header.
0x00100000Response includes either the CACHE-CONTROL: MUST-REVALIDATE or CACHE-CONTROL: PROXY-REVALIDATE header.
0x00200000Response includes the CACHE-CONTROL: MAX-AGE or S-MAXAGE header.
0x00400000Response includes the VARY header.
0x00800000Response includes the LAST-MODIFIED header.
0x01000000Response includes the EXPIRES header.
0x02000000Response includes the SET-COOKIE header.
0x04000000Response includes the WWW-AUTHENTICATE header.
0x08000000Response includes the VIA header.
0x10000000Response includes the AGE header.
0x20000000Response includes the TRANSFER-ENCODING header.
0x40000000Response should not be cached.

Error Information Bit Fields

ValueDescriptive codeDescription
0x00000001ERROR_INFO_IO_RECV_FROM_CLIENTAn error occurred during the receipt of packets from the client.
0x00000002ERROR_INFO_IO_SEND_TO_CLIENTAn error occurred during the sending of packets to the client.
0x00000004ERROR_INFO_IO_SEND_TO_SERVERAn error occurred during the sending of packets to the server.
0x00000008ERROR_INFO_IO_RECV_FROM_SERVERAn error occurred during the receipt of packets from the server.
0x00000010ERROR_INFO_DEST_IS_MEMBER-
0x00000020ERROR_INFO_CLIENT_IS_MEMBER-
0x00000040ERROR_INFO_DURING_CONNECTAn error occurred during the establishment of a connection.
0x00000080ERROR_INFO_CLIENT_KAA Keep-Alive connection was established with the client.
0x00000100ERROR_INFO_SERVER_KAA Keep-Alive connection was established with the upstream server.
0x00000200ERROR_INFO_REQUEST_HAS_BODYThe request from the client includes a body (with a nonzero content length).
0x00000400ERROR_INFO_RESPONSE_HAS_BODYThe response received from the server includes a body (with a nonzero content length).
0x00000800ERROR_INFO_IP_FROM_DNS_CACHEName resolution was performed using the DNS cache.

See Also

Log Fields


Send comments about this topic to Microsoft

Build date: 6/30/2010

Show:
© 2018 Microsoft