Firewall log fields
Applies To: Forefront Threat Management Gateway (TMG)
The following table lists the fields that you can include in each of the Forefront TMG log files. Note that, in Forefront TMG log format, if a field is disabled, it will appear in the log with a hyphen (-). In World Wide Web Consortium (W3C) log file format, the field will not appear. The Bit number column refers to the position in the Forefront TMG file format.
| Bit number | Field name (log viewer) | Field name (SQL Server log format and SQL Server Express log format) | Field name (W3C format) | Description |
|---|---|---|---|---|
0 |
Server Name |
servername |
computer |
The name of the Forefront TMG computer assigned in the operating system settings. |
1 |
Log Date |
logTime |
date |
The date on which the logged event occurred. In the SQL Server and SQL Server Express formats, both the date and the local time are included in the single logTime field. |
2 |
Log Time |
logTime |
time |
The time when the logged event occurred. In the W3C extended file format this time is in Coordinated Universal Time (UTC). In all other formats, this is the local time. In the SQL Server and SQL Server Express formats both the date and the time are included in the single logTime field. |
3 |
Transport |
protocol |
IP Protocol |
The transport protocol used for the connection. Common values are TCP and UDP. |
4 |
Client IP and Port |
SourceIP SourcePort |
source |
The IP address of the requesting client and the source port used. In SQL Server and SQL Server Express formats, there are separate SourceIP and SourcePort fields to allow individual querying. For ICMP packets, the port field indicates the ICMP type. |
5 |
Destination IP and Port |
DestinationIP Destination Port |
destination |
The network IP address and the port number on the target computer that provides service to the current connection. The port number is used by the client application initiating the request. In SQL Server and SQL Server Express formats, there are separate DestinationIP and DestinationPort fields to allow individual querying. For ICMP packets, the port field indicates the ICMP code. |
6 |
Original Client IP |
OriginalClientIP |
original client IP |
The original IP address of the requesting client. |
7 |
Source Network |
SourceNetwork |
source network |
The network from which the request originated. |
8 |
Destination Network |
DestinationNetwork |
destination network |
The network to which the request was sent. |
9 |
Action |
Action |
action |
The action performed by the firewall for the current session or connection. The possible values are defined in the FpcAction enumerated type. |
10 |
Result Code |
Resultcode |
status |
A Windows error code or a Forefront TMG error code in HRESULT format. |
11 |
Rule |
Rule |
rule |
The rule that either allowed or denied access to the request, as follows: If an outgoing request was allowed, this field reflects the access rule that allowed the request. If the request was denied, this field reflects the access rule that blocked the request. If an incoming request was allowed, this field reflects the Web publishing server or publishing rule that allowed the request. If the request was denied, this field reflects the Web publishing server or publishing rule that denied the request. If the incoming or outgoing request was denied for a reason other than policy rules, (for example due to an intrusion attempt or exceeding a flood resiliency threshold) the field is empty and the Result Code field indicates the reason. |
12 |
Protocol |
ApplicationProtocol |
application protocol |
The name of the application protocol used for the connection as defined in the collection of protocol definitions. |
13 |
Bidirectional |
Bidirectional |
bidirectional |
A value from the FpcBidirection enumerated type that indicates whether the connection was bidirectional. |
14 |
Bytes Sent |
bytessent |
bytes sent |
The total number of bytes sent from the client to the destination host during the current connection. A hyphen (-) or a zero (0) in this field indicates that this information was not provided by the destination host or that no bytes were sent to the destination host. |
15 |
Bytes Sent Delta |
bytessentDelta |
bytes sent intermediate |
The number of bytes sent from the client to the destination host since the previous log entry for the current connection. A hyphen (-) or a zero (0) in this field indicates that this information was not provided by the destination host or that no bytes were sent to the destination host. |
16 |
Bytes Received |
bytesrecvd |
bytes received |
The total number of bytes sent from the remote computer and received by the client during the current connection. A hyphen (-) or a zero (0) in this field indicates that this information was not provided by the remote computer or that no bytes were received from the remote computer. |
17 |
Bytes Received Delta |
bytesrecvdDelta |
bytes received intermediate |
The number of bytes sent from the remote computer and received by the client since the previous log entry for the current connection. A hyphen (-) or a zero (0) in this field indicates that this information was not provided by the remote computer or that no bytes were received from the remote computer. |
18 |
Processing Time |
connectiontime |
connection time |
The total time, in milliseconds, that was needed by Forefront TMG to process the current connection. It measures the time elapsed from the time when the Forefront TMG computer first received the request to the time when final processing occurred on the Forefront TMG computer—when results were returned to the client and the connection was closed. |
19 |
Processing Time Delta |
connectiontimeDelta |
connection time intermediate |
The time, in milliseconds, that has elapsed since the previous log entry for the current connection. |
20 |
Destination Host Name |
DestinationName |
destination name |
The domain name for the remote computer that provides service to the current connection. |
21 |
Client Username |
ClientUserName |
username |
The account of the user making the request. A question mark (?) next to the user name indicates that the user name was sent but the user was not authenticated by Forefront TMG. If Forefront TMG access control is not being used, Forefront TMG uses Anonymous. |
22 |
Client Agent |
ClientAgent |
agent |
For clients with Forefront TMG Client software installed, this is the name of the application that made the network request. This field is not applicable to SecureNAT client sessions. |
23 |
Session ID |
sessionid |
session ID |
An identifier that identifies a session's connections. For Forefront TMG clients, each process that connects through the Microsoft Firewall service initiates a session. For SecureNAT clients, a single session is opened for all the connections that originate from the same IP address. |
24 |
Connection ID |
connectionid |
connection ID |
An identifier that identifies entries belonging to the same connection. Outbound TCP usually has two entries for each connection: when the connection is established and when the connection is terminated. UDP usually has two entries for each remote address. |
25 |
Network Interface |
Interface |
interface |
The network adapter with which the connection was established on the Forefront TMG computer. |
26 |
Raw IP Header |
IPHeader |
IP header |
The IP header of the current packet. Information is supplied to this field only for packets that are denied passage and are dropped by Forefront TMG. |
27 |
Raw Payload |
Payload |
protocol payload |
The protocol header of the current packet. Information is supplied to this field only for packets that are denied passage and are dropped by Forefront TMG. |
28 |
GMT Log Time |
GmtLogTime |
GMT Time |
The GMT time that corresponds to the local time in the logTime field. |
29 |
NIS Scan Result |
ipsScanResult |
NIS scan result |
The result when NIS scans the traffic or connection (inspected/detected/blocked). |
30 |
NIS Signature |
ipsSignature |
NIS signature |
The NIS signature detected or based on which the traffic was blocked. |
31 |
NAT Address |
NATAddress |
NAT Address |
Public IP address used as a source IP for outbound traffic. |
32 |
Forefront TMG Client FDQN |
FwcClientFqdn |
fwc-client-fqdn |
Gets the FQDN of the client computer for a Forefront TMG Client connection. |
33 |
Forefront TMG Client Application Path |
FwcAppPath |
fwc-app-path |
Gets the full path of the client application for a Forefront TMG Client connection. |
34 |
Firewall Client Application SHA1 Hash |
FwcAppSHA1Hash |
fwc-app-sha1-hash |
Gets the SHA1 hash value that is calculated for the executable file of the client application and used by Forefront TMG Client to request a network connection. |
35 |
Forefront TMG Client Application trust state |
FwcAppTrusState |
fwc-app-trust-state |
Gets a value from the FpcFwcClientApplicationTrustState enumerated type that indicates whether the client application is trusted by the operating system running on the client computer. |
36 |
Forefront TMG Client Application Internal Name |
FwcAppInternalName |
fwc-app-internal-name |
Forefront TMG Client Application Internal Name. |
37 |
Forefront TMG Client Application Product Name |
FwcAppProductName |
fwc-app-product-name |
Gets the product name of the client application. |
38 |
Forefront TMG Client Application Product Version |
FwcAppProductVersion |
fwc-app-product-version |
Gets the product version of the client application. |
39 |
Forefront TMG Client Application File Version |
FwcAppFileVersion |
fwc-app-file-vrsion |
Gets the file version of the client application. |
40 |
Forefront TMG Client Application Original File Name |
FwcAppOrgFileName |
fwc-app-original-file-name |
The original name of the client application. |
41 |
Internal Service Info Log Fields |
InternalServiceInfo |
internal-service-info |
Internal |
42 |
NIS Application Protocol |
ipsApplicationProtocol |
NIS application protocol |
The application protocol in which NIS detected the signature. |
43 |
Forefront TMG Client Version |
FwcVersion |
fwc-version |
The version number of the Forefront TMG Clients |