Web Proxy Log Fields
The following table lists the log fields that can be included in Forefront TMG Web proxy log entries by setting the corresponding character in the string held in the LogFieldSelectionString property of the FPCLog object for Web proxy logging.
The bit numbers listed in this table, which are based on the numbering system that was used in the LogFieldSelection property, correspond to the zero-based numbers of the characters in the string held in the LogFieldSelectionString property.
| Bit number | Field name (log viewer) | Field name (SQL Server Express databases) | Field name (W3C files) | Description |
|---|---|---|---|---|
| 0 | Client IP | ClientIP | c-ip | The IP address of the requesting client. |
| 1 | Client Username | ClientUserName | cs-username | The account of the user making the request. A question mark (?) next to the user name indicates that the user name was sent but the user was not authenticated by Forefront TMG. If Forefront TMG access control is not being used, Forefront TMG uses Anonymous. |
| 2 | Client Agent | ClientAgent | c-agent | The name and version of the client application sent by the client in the HTTP User-Agent header. When Forefront TMG is actively caching, this field is set to Forefront TMG. |
| 3 | Authenticated Client | ClientAuthenticate | sc-authenticated | A value that indicates whether the client has been authenticated with the Forefront TMG computer. Possible values are Y and N. |
| 4 | Log Date | logTime | date | The date on which the logged event occurred. In the SQL Server Express format, both the date and the local time are included in the single logTime field, and the bits for both the date and time fields must be set. |
| 5 | Log Time | logTime | time | The local time when the logged event occurred. In the W3C extended file format and in ODBC-compliant SQL Server databases, this time is in Coordinated Universal Time (UTC). In the SQL Server Express format, both the date and the local time are included in the single logTime field, and the bits for both the date and time fields must be set. |
| 6 | Service | service | s-svcname | The name of the service that is logged. For example, fwsrv indicates the Microsoft Firewall service. |
| 7 | Server Name | servername | s-computername | The name of the Forefront TMG computer. This is the computer name assigned in Windows Server 2008. |
| 8 | Referring Server | referredserver | cs-referred | The URL of the resource that supplied the requested URL to the client, as indicated in the Referrer header of the request. |
| 9 | Destination Host Name | DestHost | r-host | The domain name for the remote computer that provides service to the current connection. A hyphen (-) in this field may indicate that an object was retrieved from the local cache and not from the destination. |
| 10 | Destination IP | DestHostIP | r-ip | The network IP address of the remote computer that provides service to the current connection. A hyphen (-) in this field may indicate that an object was sourced from the local cache and not from the destination. One exception is negative caching. In that case, this field contains a destination IP address for which a negative cached object was returned. |
| 11 | Destination Port | DestHostPort | r-port | The reserved port number on the remote computer that provides service to the current connection. This is used by the client application initiating the request. |
| 12 | Processing Time | processingtime | time-taken | The total time, in milliseconds, that is needed by Forefront TMG to process the current connection. It measures the time elapsed from the time when the server first receives the request to the time when final processing occurs on the server—when results are returned to the client and the connection is closed.
For cache requests that are processed through the Forefront TMG Web proxy, the processing time measures the elapsed server time needed to fully process a client request and return an object from the server cache to the client. |
| 13 | Bytes Received | bytesrecvd | cs-bytes | The number of bytes sent from the remote computer and received by the client during the current connection. A hyphen (-), a zero (0), or a negative number in this field indicates that this information was not provided by the remote computer or that no bytes were received from the remote computer. |
| 14 | Bytes Sent | bytessent | sc-bytes | The number of bytes sent from the client to the remote computer during the current connection. A hyphen (-), a zero (0), or a negative number in this field indicates that this information was not provided by the remote computer or that no bytes were sent to the remote computer. |
| 15 | Protocol | protocol | cs-protocol | The application protocol used for the connection. Common values are http for Hypertext Transfer Protocol, https for Secure HTTP, and ftp for File Transfer Protocol. |
| 16 | Transport | transport | cs-transport | The transport protocol used for the connection. Common values are TCP and UDP. |
| 17 | HTTP Method | operation | s-operation | The HTTP method used. Common values are GET, PUT, POST, and HEAD. |
| 18 | URL | uri | cs-uri | The URL requested. |
| 19 | MIME Type | mimetype | cs-mime-type | The MIME type for the current object. This field may also contain a hyphen (-) to indicate that this field is not used or that a valid MIME type was not defined or supported by the remote computer. |
| 20 | Object Source | objectsource | s-object-source | The type of source that was used to retrieve the current object. A table of some possible values is provided in Object Source Values. |
| 21 | HTTP Status Code | resultcode | sc-status | A Windows (Win32) error code (for values less than 100), an HTTP status code (for values between 100 and 1,000), a Winsock error code (for values between 10,004 and 11,031), or a Forefront TMG error code. A table of some possible values is provided in Result Code Values. For more information about Forefront TMG error codes, see Error Codes. |
| 22 | Cache Information | CacheInfo | s-cache-info | A number reflecting the cache status of the object, which indicates the reasons why the object was or was not cached. The number logged is the sum of the values for all the conditions that are met. A table of the possible values is provided in Cache Information Values. |
| 23 | Rule | Rule | rule | The rule that either allowed or denied access to the request, as follows:
|
| 24 | Filter Information | FilterInfo | FilterInfo | Information supplied by a Web filter. For example, if HTTP Filter rejected a request, this field contains the reason for the rejection. |
| 25 | Source Network | SrcNetwork | cs-network | The network from which the request originated. |
| 26 | Destination Network | DstNetwork | sc-network | The network to which the request was sent. |
| 27 | Error Information | ErrorInfo | error-info | A 32-bit bitmask that provides additional information about the request that can help identify the source of the error if an error occurred. A table of the possible bit fields is provided in Error Information Bit Fields. |
| 28 | Action | Action | action | The action performed by the Microsoft Firewall service for the current session or connection. The possible values are defined in the FpcAction enumerated type. Note that strings representing these values are displayed in the log viewer. |
| 29 | GMT Log Time | GmtLogTime | GMT Time | The date and time in Coordinated Universal Time (UTC) when the log entry was made. |
| 30 | Authentication Server | AuthenticationServer | AuthenticationServer | The name of the LDAP server or RADIUS server that was used for authentication. |
| 31 | NIS Scan Result | ipsScanResult | NIS scan result | The Network Inspection System (NIS) scan result. The possible values are defined in the FpcIpsScanResult enumerated type. Note that strings representing these values are displayed in the log viewer. |
| 32 | NIS Signature | ipsSignature | NIS signature | The NIS signature detected or used as a basis for blocking the traffic. |
| 33 | Threat Name | ThreatName | ThreatName | The name of the threat found by malware inspection. |
| 34 | Malware Inspection Action | MalwareInspectionAction | MalwareInspectionAction | The type of action performed on an HTTP response during malware inspection. The possible values are defined in the FpcMalwareInspectionAction enumerated type. Note that strings representing these values are displayed in the log viewer. |
| 35 | Malware Inspection Result | MalwareInspectionResult | MalwareInspectionResult | The reason for the action performed on an HTTP response during malware inspection. The possible values are defined in the FpcMalwareInspectionActionReason enumerated type. Note that strings representing these values are displayed in the log viewer. |
| 36 | URL Category | UrlCategory | UrlCategory | The URL category. |
| 37 | Content Delivery Method | MalwareInspectionContentDeliveryMethod | MalwareInspectionContentDeliveryMethod | The content delivery method used during malware inspection. The possible values are defined in the FpcMalwareInspectionContentDeliveryMethod enumerated type. Note that strings representing these values are displayed in the log viewer. |
| 38 | UAG Array Id | UagArrayId | mi-uagarrayid | The Forefront Unified Access Gateway (UAG) array identifier. |
| 39 | UAG Version | UagVersion | sc-uagversion | The Forefront UAG version number. |
| 40 | UAG Module Id | UagModuleId | mi-uagmoduleid | The identifier of the Forefront UAG module. |
| 41 | UAG Id | UagId | sc-uagid | The Forefront UAG identifier. |
| 42 | UAG Severity | UagSeverity | mi-uagseverity | The Forefront UAG array identifier. |
| 43 | UAG Type | UagType | mi-uagtype | The Forefront UAG type. |
| 44 | UAG Event Name | UagEventName | sc-uageventname | The identifying number of the Forefront UAG event. |
| 45 | UAG Session Id | UagSessionId | mi-uagsessionid | The Forefront UAG session identifier. |
| 46 | UAG Trunk Name | UagTrunkName | mi-uagtrunkname | The name of the Forefront UAG trunk. |
| 47 | UAG Service Name | UagServiceName | mi-uagservicename | The name of the Forefront UAG service. |
| 48 | UAG Error Code | UagErrorCode | sc-uagerrorcode | The Forefront UAG error code. |
| 49 | Malware Inspection Duration (msec) | MalwareInspectionDuration | MalwareInspectionDuration | The time, in milliseconds, needed to inspect the content of an HTTP response for malware. |
| 50 | Threat Level | MalwareInspectionThreatLevel | MalwareInspectionThreatLevel | The threat level of malware detected during malware inspection. The possible values are defined in the FpcMalwareInspectionThreatLevel enumerated type. Note that strings representing these values are displayed in the log viewer. |
| 51 | Internal Service Info Log Fields | InternalServiceInfo | internal-service-info | The information generated by internal services. |
| 52 | NIS Application Protocol | ipsApplicationProtocol | NIS application protocol | The application protocol in which NIS detected the signature. |
| 53 | NAT Address | NAT Address | NAT Address | The public NAT IP address used as the source IP address for outbound traffic. |
| 54 | URL Categorization Reason | UrlCategorizationReason | UrlCategorizationReason | The reason for the URL categorization. The possible values are defined in the FpcUrlCategorizationReason enumerated type. Note that strings representing these values are displayed in the log viewer. |
| 55 | Session Type | SessionType | SessionType | The type of session. The possible values are defined in the FpcSessionType enumerated type. Note that strings representing these values are displayed in the log viewer. |
| 56 | URL Destination Host Name | UrlDestHost | UrlDestHost | The destination host name in the URL. |
| 57 | Source Port | SrcPort | s-port | The source port. |
| 58 | Soft Blocking Rule | SoftBlockAction | SoftBlockAction | The name of the first matching deny rule that can be overridden by the user. |
Object Source Values
| Source values | Description |
|---|---|
| 0 | No source information is available. |
| Cache | Source is the cache. Object returned from cache. |
| Internet | Source is the Internet. Object added to cache. |
| Member | Object returned from another array member. |
| Not Modified | Source is the cache. Client performed an If-Modified-Since request, and object had not been modified. |
| Not Verified Cache | Source is the cache. Object could not be verified to source. |
| Upstream | Object returned from an upstream proxy cache. |
| Verified Cache | Source is the cache. Object was verified to source and had not been modified. |
| Verify Failed Internet | Source is the Internet. Cached object was verified to source and had been modified. |
Result Code Values
| Value | Description |
|---|---|
| 0 | The operation completed successfully. |
| 200 | OK. |
| 201 | Created. |
| 202 | Accepted. |
| 204 | No content. |
| 301 | Moved permanently. |
| 302 | Moved temporarily. |
| 304 | Not modified. |
| 400 | Bad request. |
| 401 | Unauthorized. |
| 403 | Forbidden. |
| 404 | Not found. |
| 500 | Server error. |
| 501 | Not implemented. |
| 502 | Bad gateway. |
| 503 | Out of resources. |
| 995 | Operation aborted. |
| 10060 | A connection timed out. |
| 10061 | A connection was refused by the destination host. |
| 10065 | No route to host. |
| 11001 | Host not found. |
| 12217 | The request was rejected by HTTP Filter. |
Cache Information Values
| Value | Description |
|---|---|
| 0x00000001 | Request should not be served from the cache. |
| 0x00000002 | Request includes the IF-MODIFIED-SINCE header. |
| 0x00000004 | Request includes one of these headers: CACHE-CONTROL:NO-CACHE or PRAGMA:NO-CACHE. |
| 0x00000008 | Request includes the AUTHORIZATION header. |
| 0x00000010 | Request includes the VIA header. |
| 0x00000020 | Request includes the IF-MATCH header. |
| 0x00000040 | Request includes the RANGE header. |
| 0x00000080 | Request includes the CACHE-CONTROL: NO-STORE header. |
| 0x00000100 | Request includes the CACHE-CONTROL: MAX-AGE, or CACHE-CONTROL: MAX-STALE, or CACHE-CONTROL: MIN-FRESH header. |
| 0x00000200 | Cache could not be updated. |
| 0x00000400 | IF-MODIFIED-SINCE time specified in the request is newer than cached LASTMODIFIED time. |
| 0x00000800 | Request includes the CACHE-CONTROL: ONLY-IF-CACHED header. |
| 0x00001000 | Request includes the IF-NONE-MATCH header. |
| 0x00002000 | Request includes the IF-UNMODIFIED-SINCE header. |
| 0x00004000 | Request includes the IF-RANGE header. |
| 0x00008000 | More than one VARY header. |
| 0x00010000 | Response includes the CACHE-CONTROL: PUBLIC header. |
| 0x00020000 | Response includes the CACHE-CONTROL: PRIVATE header. |
| 0x00040000 | Response includes the CACHE-CONTROL: NO-CACHE or PRAGMA: NO-CACHE header. |
| 0x00080000 | Response includes the CACHE-CONTROL: NO-STORE header. |
| 0x00100000 | Response includes either the CACHE-CONTROL: MUST-REVALIDATE or CACHE-CONTROL: PROXY-REVALIDATE header. |
| 0x00200000 | Response includes the CACHE-CONTROL: MAX-AGE or S-MAXAGE header. |
| 0x00400000 | Response includes the VARY header. |
| 0x00800000 | Response includes the LAST-MODIFIED header. |
| 0x01000000 | Response includes the EXPIRES header. |
| 0x02000000 | Response includes the SET-COOKIE header. |
| 0x04000000 | Response includes the WWW-AUTHENTICATE header. |
| 0x08000000 | Response includes the VIA header. |
| 0x10000000 | Response includes the AGE header. |
| 0x20000000 | Response includes the TRANSFER-ENCODING header. |
| 0x40000000 | Response should not be cached. |
Error Information Bit Fields
| Value | Descriptive code | Description |
|---|---|---|
| 0x00000001 | ERROR_INFO_IO_RECV_FROM_CLIENT | An error occurred during the receipt of packets from the client. |
| 0x00000002 | ERROR_INFO_IO_SEND_TO_CLIENT | An error occurred during the sending of packets to the client. |
| 0x00000004 | ERROR_INFO_IO_SEND_TO_SERVER | An error occurred during the sending of packets to the server. |
| 0x00000008 | ERROR_INFO_IO_RECV_FROM_SERVER | An error occurred during the receipt of packets from the server. |
| 0x00000010 | ERROR_INFO_DEST_IS_MEMBER | - |
| 0x00000020 | ERROR_INFO_CLIENT_IS_MEMBER | - |
| 0x00000040 | ERROR_INFO_DURING_CONNECT | An error occurred during the establishment of a connection. |
| 0x00000080 | ERROR_INFO_CLIENT_KA | A Keep-Alive connection was established with the client. |
| 0x00000100 | ERROR_INFO_SERVER_KA | A Keep-Alive connection was established with the upstream server. |
| 0x00000200 | ERROR_INFO_REQUEST_HAS_BODY | The request from the client includes a body (with a nonzero content length). |
| 0x00000400 | ERROR_INFO_RESPONSE_HAS_BODY | The response received from the server includes a body (with a nonzero content length). |
| 0x00000800 | ERROR_INFO_IP_FROM_DNS_CACHE | Name resolution was performed using the DNS cache. |
Related topics
Build date: 7/12/2010