ISA Server 2006 Logging Fields and Values

ISA Server 2006 Logging Fields and Values.

The following table lists the fields that you can include in each of the ISA Server log files. Note that, in ISA Server log format, if a field is disabled, it will appear in the log with a hyphen (-). In World Wide Web Consortium (W3C) log file format, the field will not appear. The Bit number column refers to the position in the ISA Server file format.

Bit number Field name (log viewer) Field name (MSDE) Field name (W3C) Description
0 Server Name servername computer The name of the ISA Server computer. This is the computer name assigned in Microsoft Windows Server® 2003 or Windows® 2000 Server.
  1 Log Date logTime date The date on which the logged event occurred. In the MSDE format, both the date and the local time are included in the single logTime field, and the bits for both the date and time fields must be set.
  2 Log Time logTime time The local time when the logged event occurred. In the W3C extended file format and in ODBC-compliant Microsoft SQL Server™ databases, this time is in Coordinated Universal Time (UTC). In the MSDE format, both the date and the local time are included in the single logTime field, and the bits for both the date and time fields must be set.
  3 Transport protocol IP Protocol The transport protocol used for the connection. Common values are TCP and UDP.
  4 Client IP and Port SourceIP

SourcePort

 

source The IP address of the requesting client and the source port used. In MSDE format, there are separate SourceIP and SourcePort fields to allow individual querying. For ICMP packets, the additional field indicates the ICMP type.
  5 Destination IP and Port DestinationIP

Destination Port

 

destination The network IP address and the reserved port number on the remote computer that provides service to the current connection. The port number is used by the client application initiating the request. In MSDE format, there are separate DestinationIP and DestinationPort fields to allow individual querying. For ICMP packets, the additional field indicates the ICMP code.
  6 Original Client IP OriginalClientIP original client IP The original IP address of the requesting client.
  7 Source Network SourceNetwork source network The network from which the request originated.
  8 Destination Network DestinationNetwork destination network The network to which the request was sent.
  9 Action Action action The action performed by the Microsoft Firewall service for the current session or connection. The possible values are defined in the FpcAction enumerated type.
10 Result Code resultcode status A Windows error code or an ISA Server error code in HRESULT format.
11 Rule rule rule The rule that either allowed or denied access to the request, as follows:

If an outgoing request was allowed, this field reflects the access rule that allowed the request.

If an outgoing request was denied, this field reflects the access rule that blocked the request.

If an incoming request was denied, this field reflects the Web publishing or server publishing rule that denied the request.

If no rule specifically allowed the outgoing or incoming request, the request is denied. In this case, the field is empty.

12 Protocol ApplicationProtocol application protocol The name of the application protocol used for the connection as defined in the collection of protocol definitions.
13 Bidirectional Bidirectional Bidirectional A value from the FpcBidirection enumerated type that indicates whether the connection was bidirectional.
14 Bytes Sent bytessent bytes sent The total number of bytes sent from the client to the destination host during the current connection. A hyphen (-), a zero (0), or a negative number in this field indicates that this information was not provided by the destination host or that no bytes were sent to the destination host.
15 Bytes Sent Delta bytessentDelta bytes sent intermediate The number of bytes sent from the client to the destination host since the previous log entry for the current connection. A hyphen (-), a zero (0), or a negative number in this field indicates that this information was not provided by the destination host or that no bytes were sent to the destination host.
16 Bytes Received bytesrecvd bytes received The total number of bytes sent from the remote computer and received by the client during the current connection. A hyphen (-), a zero (0), or a negative number in this field indicates that this information was not provided by the remote computer or that no bytes were received from the remote computer.
17 Bytes Received Delta bytesrecvdDelta bytes received intermediate The number of bytes sent from the remote computer and received by the client since the previous log entry for the current connection. A hyphen (-), a zero (0), or a negative number in this field indicates that this information was not provided by the remote computer or that no bytes were received from the remote computer.
18 Processing Time connectiontime connection time The total time, in milliseconds, that was needed by ISA Server to process the current connection. It measures the time elapsed from the time when the ISA Server computer first received the request to the time when final processing occurred on the ISA Server computer—when results were returned to the client and the connection was closed.
19 Processing Time Delta connectiontimeDelta connection time intermediate The time, in milliseconds, that has elapsed since the previous log entry for the current connection.
20 Source Proxy SourceProxy source proxy Reserved for future use.
21 Destination Proxy DestinationProxy destination proxy Reserved for future use.
22 Client Host Name SourceName Source Name Reserved for future use.
23 Destination Host Name DestinationName destination name The domain name for the remote computer that provides service to the current connection.
24 Client Username ClientUserName Username The account of the user making the request. A question mark (?) next to the user name indicates that the user name was sent but the user was not authenticated by ISA Server. If ISA Server access control is not being used, ISA Server uses Anonymous.
25 Client Agent ClientAgent agent The name and version of the operating system that is running on the Firewall client that created the session, as indicated by the HTTP User-Agent header sent by the client’s browser application. This field is not applicable to SecureNAT sessions. For the supported strings, see Web Proxy and Firewall: Client Agent Log Values. A User-Agent header that is not supported is regarded as an unknown operating system.
26 Session ID sessionid Session ID An identifier that identifies a session’s connections. For Firewall clients, each process that connects through the Microsoft Firewall service initiates a session. For SecureNAT clients, a single session is opened for all the connections that originate from the same IP address.
27 Connection ID connectionid Connection ID An identifier that identifies entries belonging to the same socket. Outbound TCP usually has two entries for each connection: when the connection is established and when the connection is terminated. UDP usually has two entries for each remote address.
28 Network Interface Interface Interface The network adapter with which the connection was established on the ISA Server computer.
29 Raw IP Header IPHeader IP header The IP header of the current packet. Information is supplied to this field only for packets that are denied passage and are dropped by ISA Server.
30 Raw Payload Payload protocol payload The protocol header of the current packet. Information is supplied to this field only for packets that are denied passage and are dropped by ISA Server.

The following table lists the fields that you can include in the ISA Server Web Proxy log entries. Note that, in ISA Server log format, if a field is disabled, it will appear in the log with a hyphen (-). In World Wide Web Consortium (W3C) log file format, the field will not appear. The Bit number column refers to the position in the ISA Server file format.

Bit number Field name (log viewer) Field name (MSDE) Field name (W3C) Description
0 Client IP ClientIP c-ip The IP address of the requesting client.
1 Client Username ClientUserName cs-username The user account making the request. A question mark (?) indicates that the user name was sent but the user was not authenticated by ISA Server. If ISA Server access control is not being used, ISA Server uses Anonymous.
2 Client Agent ClientAgent c-agent The name and version of the client application sent in the HTTP User-Agent header. When ISA Server is actively caching, this field is set to ISA Server.
 3 Authenticated Client ClientAuthenticate sc-authenticated Indicates whether the client has been authenticated with the ISA Server computer. Possible values are Y and N.
  4 Log Date logTime date The date on which the logged event occurred. In the MSDE format, both the date and the local time are included in the single logTime field, and the bits for both the date and time fields must be set.
  5 Log Time logTime time The local time when the logged event occurred. In the W3C extended file format and in ODBC-compliant SQL Server databases, this time is in Coordinated Universal Time (UTC). In the MSDE format, both the date and the local time are included in the single logTime field, and the bits for both the date and time fields must be set.
  6 Service service s-svcname The name of the service that is logged. For example, fwsrv indicates the Microsoft Firewall service.
  7 Server Name servername s-computername The name of the ISA Server computer.
  8 Referring Server referredserver cs-referred Reserved for future use.
  9 Destination Host Name DestHost r-host The domain name for the remote computer that provides service to the current connection. A hyphen (-) in this field may indicate that an object was retrieved from the local cache and not from the destination.
10 Destination IP DestHostIP r-ip The network IP address of the remote computer that provides service to the current connection. A hyphen (-) in this field may indicate that an object was sourced from the local cache and not from the destination. One exception is negative caching. In that case, this field contains a destination IP address for which a negative cached object was returned.
11 Destination Port DestHostPort r-port The reserved port number on the remote computer that provides service to the current connection. This is used by the client application initiating the request.
12 Processing Time processingtime time-taken The total time, in milliseconds, that is needed by ISA Server to process the current connection. It measures the time elapsed from the time when the server first receives the request to the time when final processing occurs on the server—when results are returned to the client and the connection is closed. For cache requests that are processed through Web Proxy Filter, the processing time measures the elapsed server time needed to fully process a client request and return an object to the client.
13 Bytes Received bytesrecvd cs-bytes The number of bytes sent from the remote computer and received by the client during the current connection. A hyphen (-), a zero (0), or a negative number in this field indicates that this information was not provided by the remote computer or that no bytes were received from the remote computer.
14 Bytes Sent bytessent sc-bytes The number of bytes sent from the client to the remote computer during the current connection. A hyphen (-), a zero (0), or a negative number in this field indicates that this information was not provided by the remote computer or that no bytes were sent to the remote computer.
15 Protocol protocol cs-protocol The application protocol used for the connection. Common values are http for Hypertext Transfer Protocol, https for Secure HTTP, and ftp for FTP.
16 Transport transport cs-transport The transport protocol used for the connection. Common values are TCP and UDP.
17 HTTP Method operation s-operation The HTTP method used. Common values are GET, PUT, POST, and HEAD.
18 URL uri cs-uri The URL requested.
19 MIME Type mimetype cs-mime-type The MIME type for the current object. This field may also contain a hyphen (-) to indicate that this field is not used or that a valid MIME type was not defined or supported by the remote computer.
20 Object Source objectsource s-object-source The type of source that was used to retrieve the current object. A table of some possible values is provided in Web Proxy: Object Source Log Values.
21 Result Code resultcode sc-status A Windows (Win32) error code (for values less than 100), an HTTP status code (for values between 100 and 1,000), a Winsock error code (for values between 10,004 and 11,031), or an ISA Server error code. A table of some possible values is provided in Web Proxy and Firewall: Result Code Log Values.
22 Cache Info CacheInfo s-cache-info A number reflecting the cache status of the object, which indicates the reasons why the object was or was not cached. The number logged is the sum of the values for all the conditions that are met. A table of the possible values is provided in Web Proxy: Cache Information Log Values.
23 Rule rule rule The rule that either allowed or denied access to the request, as follows:

If an outgoing request was allowed, this field indicates the access rule that allowed the request.

If an outgoing request was denied by a policy rule, this field indicates the access rule that blocked the request.

If an incoming request was denied by a policy rule, this field indicates the Web publishing or server publishing rule that denied the request.

If ISA Server denied the connection for any reason other than a policy rule, this field contains a hyphen (-), and the Result Code field (bit 21) indicates the reason.

24 Filter Information FilterInfo FilterInfo Information supplied by a Web filter. For example, if HTTP Filter rejected a request, this field contains the reason for the rejection.
25 Source Network SrcNetwork cs-Network The network from which the request originated.
26 Destination Network DstNetwork sc-Network The network to which the request was sent.
27 Error info (ErrorInfo) ErrorInfo error-info A 32-bit bitmask that provides additional information about the request that can help identify the source of the error if an error occurred. A table of the possible bit fields is provided in Web Proxy: Error Information Log Values.
28 Action Action action The action performed by the Microsoft Firewall Service for the current session or connection. The possible values are defined in the FpcAction enumerated type.
29 GMT Log Time GmtLogTime GmtLogTime The date and time in Coordinated Universal Time (UTC) when the log entry was made (introduced in ISA Server Enterprise Edition).

The Firewall log can include an action field listing the action performed by the Microsoft Firewall Service for the current session or connection. The values provided in the “Action” field are short strings derived from the names of the enumeration values defined in the FpcAction COM object after deleting the prefix “fpcAction.”

The following table lists the possible action values.

MSDE value Value String Description
0 NotLogged No action was logged.
1 Bind The Firewall service associated a local address with a socket.
2 Listen The Firewall service placed a socket in a state in which it listens for an incoming connection.
3 GHBN Get host by name request. The Firewall service retrieved host information corresponding to a host name.
4 GHBA Get host by address request. The Firewall service retrieved host information corresponding to a network address.
5 RedirectBind The Firewall service enabled a connection using a local address associated with a socket.
6 Establish Initiated connection The Firewall service established a session.
7 Terminate Closed connection The Firewall service terminated a session.
8 Denied Denied connection The action requested was denied.
9 Allowed Allowed connection The action requested was allowed.
10 Failed Failed connection The action requested failed.
11 Intermediate The action was intermediate.
12 SuccessfulConnection The Firewall service was successful in establishing a connection to a socket.
13 UnsuccessfulConnection The Firewall service was unsuccessful in establishing a connection to a socket.
14 Disconnect The Firewall service closed a connection on a socket.
15 UserClearedQuarantine User cleared quarantine The Firewall service cleared a quarantined virtual private network (VPN) client.
16 QuarantineTimeout Quarantine timeout The Firewall service disqualified a quarantined VPN client after the time-out period elapsed.

Web Proxy: Result Code Log Values

For the Web Proxy log, the HTTP Status Code column represents an HTTP error (from the Web proxy). It can get one of the following values:

  • An HTTP response code, as defined in the HTTP RFC. For a list of HTTP response codes, see the Platform SDK.
  • A Winsock error code. For a list of Winsock error codes, see MSDN.
  • An ISA Server Web Proxy error code. These errors also include a description.

The following table summarizes some of the result code values.

Source values Description
        0 The operation completed successfully.
    200 OK.
    201 Created.
    202 Accepted.
    204 No content.
    301 Moved permanently.
    302 Moved temporarily.
    304 Not modified.
    400 Bad request.
    401 Unauthorized.
    403 Forbidden.
    404 Not found.
    500 Server error.
    501 Not implemented.
    502 Bad gateway.
    503 Out of resources.
    995 Operation aborted.
10060 A connection timed out.
10061 A connection was refused by the destination host.
10065 No route to host.
11001 Host not found.
12217 The request was rejected by HTTP Filter.

Firewall: Result Code Log Values

In the Firewall log, the result code field represents an error. It can be one of the following:

  • A Windows-based HRESULT error code.
  • An ISA Server service error code. These errors typically begin with 0xC00. Error text typically includes FWX_E_.

The following table summarizes run-time error codes, defined in Wspfwerr.h, that may be returned by the Microsoft Firewall service and may appear as result codes in ISA Server logs.

Symbolic name Code Message text
FWX_E_TERMINATING 0xC0040001 The object is shutting down.
FWX_E_INVALID_ARG 0xC0040002 The argument is invalid.
FWX_E_ALREADY_IN_BLOCKING_OP 0xC0040003 The blocking operation is already started.
FWX_E_NOT_IN_BLOCKING_OP 0xC0040004 There is no blocking operation to be ended.
FWX_E_FILTER_NOT_REGISTERED 0xC0040005 The filter is not registered.
FWX_E_ALREADY_EXISTS 0x800700B7 The object cannot be created because an object with the same name already exists.
FWX_E_BUFFERFULL 0xC0040007 Not all the data was appended to the buffer object because the buffer was full.
FWX_E_ALREADY_EMULATED 0xC0040009 The connection is already emulated by another filter.
FWX_E_BAD_CONTEXT 0xC004000A The method was not called while handling any of the supported events.
FWX_E_NOT_SUPPORTED 0xC004000B Modifying this property is not allowed for this session.
FWX_E_NOT_AUTHENTICATED 0xC004000C The action cannot be performed because the session is not authenticated.
FWX_E_POLICY_RULES_DENIED 0xC004000D The policy rules do not allow the user request.
FWX_E_MIME_NEEDED 0xC004000E The MIME type is required.
FWX_E_MUST_USE_DS 0xC004000F
FWX_E_NOT_EMULATED 0xC0040010 The connection is not emulated.
FWX_E_IS_BUSY 0xC0040011
FWX_E_NETWORK_RULES_DENIED 0xC0040012
FWX_E_FRAGMENT_PACKET_DROPPED 0xC0040013
FWX_E_FWE_SPOOFING_PACKET_DROPPED 0xC0040014
FWX_E_TCPIPDROP_PACKET_DROPPED 0xC0040015
FWX_E_NO_BACKLOG_PACKET_DROPPED 0xC0040016
FWX_E_TCP_NOT_SYN_PACKET_DROPPED 0xC0040017 A non-SYN packet was dropped because it was sent by a source that does not have an established connection with the ISA Server computer.
FWX_E_BAD_LENGTH_PACKET_DROPPED 0xC0040018
FWX_E_PING_OF_DEATH_PACKET_DROPPED 0xC0040019
FWX_E_OUT_OF_BAND_PACKET_DROPPED 0xC004001A
FWX_E_IP_HALF_SCAN_PACKET_DROPPED 0xC004001B
FWX_E_LAND_ATTACK_DROPPED 0xC004001C
FWX_E_UDP_BOMB_DROPPED 0xC004001D
FWX_E_FULLDENY_DROPPED 0xC004001E
FWX_E_IPOPTIONS_DROPPED 0xC004001F
FWX_E_UNCOMPLETED_CONNECTION_REQUEST 0xC0040020 An attempt to log on to the VPN server was rejected during the authentication phase because the authentication data was not received in a timely manner. The client session was disconnected.
FWX_E_CONNECTION_REQUEST_REJECTED 0xC0040021 An attempt to log on to the VPN server was rejected during the authentication phase. The client session was disconnected.
FWX_E_VALIDATE_QUARANTINE_FAILED 0xC0040022 The VPN quarantine settings could not be validated. The client session was disconnected.
FWX_E_VPN_CONNECTIONS_LIMIT_EXCEEDED 0xC0040023 The VPN client connection limit was exceeded. The client session was disconnected.
FWX_E_OUT_OF_RESOURCES 0xC0040024
FWX_E_BROADCAST_PACKET_DROPPED 0xC0040025
FWX_E_UNKNOWN_ADAPTER_DROPPED 0xC0040026
FWX_E_ICMP_ERROR_PACKET_DROPPED 0xC0040027
FWX_E_INVALID_PROTOCOL_PACKET_DROPPED 0xC0040028
FWX_E_PORT_ZERO_PACKET_DROPPED 0xC0040029
FWX_E_SYN_ATTACK_START 0xC004002A ISA Server detected a SYN attack.
FWX_E_SYN_ATTACK_END 0xC004002B ISA Server is no longer experiencing a SYN attack.
FWX_E_INVALID_DHCP_OFFER 0xC004002C
FWX_E_UNREACHABLE_ADDRESS 0xC004002D
FWX_E_ADDRESS_NOT_ALLOWED 0xC004002E
FWX_E_IPSEC_NO_ROUTE_DROPPED 0xC004002F
FWX_E_OUTBOUND_PATH_THROUGH_DROPPED 0xC0040030
FWX_E_BAD_TCP_CHECKSUM_DROPPED 0xC0040031
FWX_E_VPN_USER_MAPPING_FAILED 0xC0040032 An attempt to map a VPN client to a Windows user failed. The client session was disconnected.
FWX_E_RULE_QUOTA_EXCEEDED_DROPPED 0xC0040033 A connection was rejected because the maximum number of connections that can be created for a rule during one second was exceeded.
FWX_E_SEQ_ACK_MISMATCH 0xC0040034 A TCP packet was rejected because it has an invalid sequence number or an invalid acknowledgement number.
WSA_RWS_GRACEFUL_SHUTDOWN or FWX_E_GRACEFUL_SHUTDOWN 0x80074E20 A connection was gracefully closed in an orderly shutdown process with a three-way FIN-initiated handshake.
WSA_RWS_ABORTIVE_SHUTDOWN or FWX_E_ABORTIVE_SHUTDOWN 0x80074E21 A connection was abortively closed after one of the peers sent a RST segment.
WSA_RWS_QUOTA or FWX_E_RULE_QUOTA_EXCEEDED_DROPPED 0x80074E23 A connection was refused because a quota set in a rule was exceeded.
WSA_RWS_CONNECTION_KILLED or FWX_E_CONNECTION_KILLED 0x80074E24 ISA Server killed a connection.
WSA_RWS_TIMEOUT or FWX_E_TIMEOUT 0x80074E25 A connection was terminated because it was idle for more than the time-out period, or the time-out on an incomplete action expired.
WSA_RWS_ADMIN_TERMINATE or FWX_E_ADMIN_TERMINATE 0x80074E26 A connection was terminated from ISA Server Management during shutdown, or when a VPN client was disconnected.
FWX_E_THREAD_QUOTA_EXCEEDED 0xC0040035 A blocking operation could not be performed because the thread limit for this operation was reached.
FWX_E_DNS_QUOTA_EXCEEDED 0xC0040036 A DNS query could not be performed because the query limit was reached.
FWX_E_TCP_RATE_QUOTA_EXCEEDED_DROPPED 0xC0040037 A connection was rejected because the maximum connections rate for a single client host was exceeded.
FWX_E_TCP_NO_SERVER_REPLY

 

0xC0040038 A connection was closed because no SYN/ACK reply was received from the server.

 

This entry was posted in Network Monitoring Software and tagged . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s