Log query parameters
Applies To: Forefront Threat Management Gateway (TMG)
The following table summarizes the criteria on which you can filter logs.
Filter by | Condition | Values and description |
---|---|---|
Action (not applicable to Web Proxy log) |
Equals Not Equal Not One Of One Of |
The action performed by the Firewall service for the current connection or session. Possible values:
|
Authenticated Client (not applicable to Firewall log) |
Equals Not Equal |
Indicates whether the client has been authenticated with Forefront TMG. Possible values:
|
Authentication Server |
Contains Equals Not Contains Not Equal |
Possible values:
|
Bidirectional (not applicable to Web Proxy log) |
Equals Not Equal |
Indicates whether the traffic is send/receive. Possible values:
|
Bytes Received |
Greater or Equal Less or Equal |
The number of bytes sent from the destination computer and received by the client during the current connection. A hyphen (-), a zero (0), or a negative number in this field indicates that this information was not provided by the destination computer or that no bytes were received from the destination computer. Possible values:
|
Bytes Sent |
Greater or Equal Less or Equal |
The number of bytes sent from the source client to the destination server during the current connection. A hyphen (-), a zero (0), or a negative number in this field indicates that this information was not provided by the destination computer or that no bytes were sent to the destination computer. Possible values:
|
Cache Information (not applicable to Firewall log) |
Equals Not Equal |
This number reflects the cache status of the object, which indicates why the object was or was not cached. This field applies only to the Web Proxy log.
|
Client Agent |
Contains Equals Not Contains Not Equal |
The client application type sent by the client in the HTTP header. For Microsoft Firewall service, this field includes information about the client's operating system. Possible values: |
Client IP |
Equals Greater or Equal Less or Equal Not Equal Not One Of One Of |
The IP address of the requesting client. Possible values:
|
Client Username |
Contains Equals Not Contains Not Equal |
The account of the user making the request. If Forefront TMG access control is not being used, Forefront TMG uses anonymous. Possible values:
|
Content Delivery Method |
Equals Not Equal Not One Of One Of |
Fast Trickling Progress Notification Standard Trickling |
Destination Host Name |
Contains Equals Not Contains Not Equal Not One Of One Of |
The domain name for the remote computer that provides service to the current connection. For the Web Proxy log, a hyphen (-) in this field may indicate that an object was retrieved from the cache and not from the destination. Possible values:
|
Destination IP |
Equals Greater or Equal Less or Equal Not Equal Not One Of One Of |
The network IP address for the remote computer that provides service to the current connection. For the Web Proxy log, a hyphen (-) in this field may indicate that an object was sourced from the cache and not from the destination. One exception is negative caching. In that case, this field indicates a destination IP address for which a negative-cached object was returned. Possible values:
|
Destination Network |
Contains Equals Not Contains Not Equal Not One Of One Of |
The network that provides service to the current connection. Possible values:
|
Destination Port |
Equals Not Equal Not One Of One Of |
The reserved port number on the remote computer that provides service to the current connection. This is used by the client application initiating the request. Possible values:
|
Error Information (not applicable to Firewall log) |
Equals Not Equal |
Error information. Possible values:
|
Filter Information |
Contains Equals Not Contains Not Equal |
This field includes information that a Web filter can log. For example, when the HTTP filter denies a request, the reason for the denial is stored here. Possible values:
|
GMT Log Time |
On or After On or Before |
Indicates Coordinated Universal Time (UTC), also known as Greenwich Mean Time (GMT), which is the log time date. Possible values:
|
HTTP Method |
Contains Equals Not Contains Not Equal |
Specifies the application method used.
Possible values that are common for the Firewall log:
|
HTTP Status Code |
Equals Not Equal Not One Of One Of |
Specifies the HTTP status code. Possible values:
|
Internal Service Info Log Field |
Equals Not Equal Not One Of One Of |
Internal Possible values:
|
Log Record Type |
Equals |
Specifies the log type to filter. Possible values:
|
Log Time |
Last 24 hours Last 30 days Last 7 days Last hour Live On or After On or Before |
The time that the logged event occurred. Possible values:
|
Malware Inspection Action |
Equals Not Equal Not One Of One Of |
Specifies the possible actions for content. Possible values:
|
Malware Inspection Duration |
Greater or Equal Less or Equal |
Possible values:
|
Malware Inspection Result |
Equals Not Equal Not One Of One Of |
The possible results of the malware inspection process. Possible values:
|
MIME Type (not applicable to Firewall log) |
Contains Equals Not Contains Not Equals |
The MIME type for the current object. This field may also contain a hyphen (-) to indicate that this field is not used or that a valid MIME type was not defined or supported by the remote computer. Possible values:
|
Network Interface (not applicable to Web Proxy log) |
Contains Equals Not Contains Not Equal Not One Of One Of |
Primary IP address of the interface that received the traffic. Possible values:
|
NIS Application Protocol |
Contains Equals Not Contains Not Equal Not One Of One Of |
The application protocol in which NIS detected the signature. Possible values:
|
NIS Scan Result |
Equals Not Equals Not One Of One Of |
The result of NIS scanning of the traffic or the connection. Possible values:
|
NIS Signature |
Contains Equals Not Contains Not Equal Not One Of One Of |
The NIS signature detected that resulted in the traffic been blocked. Possible values:
|
Object Source (not applicable to Firewall log) |
Equals Not Equal Not One Of One Of |
Indicates the source that was used to retrieve the current object. Possible values:
|
Original Client IP |
Equals Greater or Equal Less or Equal Not Equal Not One Of One Of |
The IP address of the client making the request. Possible values:
|
Processing Time (not applicable to Firewall log) |
Greater or Equal Less or Equal |
This indicates the total time, in milliseconds, that is needed by Forefront TMG to process the current connection. It measures elapsed server time from the time that the server first received the request to the time when final processing occurred on the server—when results were returned to the client and the connection was closed. For cache requests that were processed through Web Proxy, processing time measures the elapsed server time needed to fully process a client request and return an object from the server cache to the client. Possible values:
|
Protocol |
Contains Equals Not Contains Not Equal Not One Of One Of |
Specifies the application protocol used for the connection. Common values are HTTP, FTP, and HTTPS. For the Firewall service, the port number is also logged. Possible values:
|
Raw IP Header (not applicable to Web Proxy log) |
Contains Equals Not Contains Not Equal Not One Of One Of |
The Raw IP header information. Possible values:
|
Raw Payload (not applicable to Web Proxy log) |
Contains Equals Not Contains Not Equal |
The raw data of the packet. Possible values:
|
Referring Server |
Contains Equals Not Contains Not Equals |
If Forefront TMG is used upstream in a chained configuration, this indicates the server name of the downstream server that sent the request. Possible values:
|
Result Code |
Equals Not Equal Not One Of One Of |
The result code numeric ID. Possible values: |
Rule |
Contains Equals Not Contains Not Equal Not One Of One Of |
This reflects the rule that either allowed or denied access to the request. Possible values:
|
Server Name (not applicable to Firewall log) |
Contains Equals Not Contains Not Equals |
The name of the computer running Forefront TMG. This is the computer name that is assigned in Microsoft Windows Server 2003 or Windows 2000 Server Possible values:
|
Service (not applicable to Firewall log) |
Equals Not Equal Not One Of One Of |
The type of request being logged. Possible values:
|
Source Network |
Contains Equals Not Contains Not Equal Not One Of One Of |
The network from which the request originated. Possible values:
|
Source Port (not applicable to Web Proxy log) |
Equals Not Equal |
The port on which the requesting client makes the request. Possible values:
|
Threat Level |
Equals Not Equal Not One Of One Of |
The malware inspection threat level. Possible values:
|
Threat Name |
Contains Equals Not Contains Not Equal Not One Of One Of |
The threat name. Possible values:
|
Forefront TMG Client Application File Version |
Equals Not Equals Not One Of One Of |
The Forefront TMG Client Application File Version. Possible values:
|
Forefront TMG Client Application Internal Name |
Contains Equals Not Equals Not One Of One Of |
The Forefront TMG Client Application Internal Name. Possible values:
|
Forefront TMG Client Application Original File Name |
Contains Equals Not Equals Not One Of One Of |
The Forefront TMG Client Application Original File Name. Possible values:
|
Forefront TMG Client Application Product Name |
Contains Equals Not Equals Not One Of One Of |
The Forefront TMG Client Application Product Name. Possible values:
|
Forefront TMG Client Application Product Version |
Equals Not Equals Not One Of One Of |
The Forefront TMG Client Application Product Version. Possible values:
|
Forefront TMG Client Application SHA1 Hash |
Equals Not Equals Not One Of One Of |
The Forefront TMG Client Application SHA1 Hash. Possible values:
|
Forefront TMG Client Application trust state |
Equals Not Equals Not One Of One Of |
The Forefront TMG Client Application trust state. Possible values:
|
Forefront TMG Client FQDN |
Equals Not Equals Not One Of One Of |
The Forefront TMG Client FQDN. Possible values:
|
Forefront TMG Client Application Path |
Equals Not Equals Not One Of One Of |
The Forefront TMG Client Application Path. Possible values:
|
Transport |
Contains Equals Not Contains Not Equals |
Specifies the transport protocol used for the connection. Possible values:
|
URL (not applicable to Firewall log) |
Contains Equals Not Contains Not Equal Not One Of One Of |
This field shows the contents of the URL request. Possible values:
|
UAG Array ID |
Equals Not Equal |
The UAG Array ID. Possible values:
|
UAG Error Code |
Equals Not Equal |
The UAG error code. Possible values:
|
UAG Event Name |
Equals Not Equal |
The UAG event name. Possible values:
|
UAG Id |
Equals Not Equal |
The UAG Id. Possible values:
|
UAG Module Id |
Equals Not Equal |
The UAG module Id. Possible values:
|
UAG Service Name |
Equals Not Equal |
The UAG service name. Possible values:
|
UAG Session Id |
Equals Not Equal |
The UAG session Id. Possible values:
|
UAG Severity |
Equals Not Equal |
The UAG severity. Possible values:
|
UAG Trunk Name |
Equals Not Equal |
The UAG trunk name. Possible values:
|
UAG Type |
Equals Not Equal |
The UAG type. Possible values:
|
UAG version |
Equals Not Equal |
The UAG version. Possible values:
|
URL Categorization Reason |
Equals Not Equals Not One Of One Of |
The reason for the URL categorizations. Possible values:
|