TMG - web proxy log fields

Microsoft Forefront TMG 2010 – Web Proxy Log Fields

Bit number	Field name (log viewer)	Field name (W3C)	Description
0	Client IP	c-ip	The IP address of the requesting client.
1	Client Username	cs-username	The user account making the request. A question mark (?) indicates that the user name was sent but the user was not authenticated by Forefront TMG. If Forefront TMG access control is not being used, Forefront TMG uses Anonymous.
2	Client Agent	c-agent	The name and version of the client application sent in the HTTP User-Agent header. When Forefront TMG is actively caching, this field is set to Forefront TMG.
3	Authenticated Client	sc-authenticated	Indicates whether the client has been authenticated with the Forefront TMG computer. Possible values are Y and N.
4	Log Date	date	The date on which the logged event occurred. In the SQL Server Express format, both the date and the local time are included in the single logTime field, and the bits for both the date and time fields must be set.
5	Log Time	time	The local time when the logged event occurred. In the W3C extended file format and in ODBC-compliant SQL Server databases, this time is in Coordinated Universal Time (UTC). In the SQL Server Express format, both the date and the local time are included in the single logTime field, and the bits for both the date and time fields must be set.
6	Service	s-svcname	The type of service that logged this record. This may be Proxy or Reverse Proxy.
7	Server Name	s-computername	The name of the Forefront TMG server.
8	Referring Server	cs-referred	Reserved for future use.
9	Destination Host Name	r-host	The domain name for the remote computer that provides service to the current request. A hyphen (-) in this field may indicate that an object was retrieved from the local cache and not from the destination.
10	Destination IP	r-ip	The network IP address of the remote computer that provides service to the current connection. A hyphen (-) in this field may indicate that an object was sourced from the local cache and not from the destination. One exception is negative caching. In that case, this field contains a destination IP address for which a negative cached object was returned.
11	Destination Port	r-port	The port number on the target computer that provides service to the current connection.
12	Processing Time	time-taken	The total time, in milliseconds, that Forefront TMG took to process the current request. It measures the time elapsed from the time when the server first receives the request to the time when final processing occurs on the server—when results are returned to the client. For cache requests that are processed through Web Proxy filter, the processing time measures the elapsed server time needed to fully process a client request and return an object to the client.
13	Bytes Received	cs-bytes	The number of bytes sent from the remote computer and received by the client during the current request. A hyphen (-), or a zero (0) in this field indicates that this information was not provided by the remote computer or that no bytes were received from the remote computer.
14	Bytes Sent	sc-bytes	The number of bytes sent from the client to the remote computer during the current connection. A hyphen (-), a zero (0), or a negative number in this field indicates that this information was not provided by the remote computer or that no bytes were sent to the remote computer.
15	Protocol	cs-protocol	The application protocol used for the connection. Common values are HTTP, HTTPS, and FTP.
16	Transport	cs-transport	The transport protocol used for the connection. This is always TCP for Web requests.
17	HTTP Method	s-operation	The HTTP method used. Common values are GET, PUT, POST, and HEAD.
18	URL	cs-uri	The URL requested.
19	MIME Type	cs-mime-type	The MIME type for the current object. This field may also contain a hyphen (-) to indicate that this field is not used or that a valid MIME type was not defined for the current object.
20	Object Source	s-object-source	The type of source that was used to retrieve the current object. A table of some possible values is provided in Web proxy object source log values.
21	HTTP Status Code	sc-status	A Windows (Win32®) error code (for values less than 100), an HTTP status code (for values between 100 and 1,000), a Winsock error code (for values between 10,004 and 11,031), or a Forefront TMG error code. A table of some possible values is provided in Result code log values.
22	Cache Information	s-cache-info	A number reflecting the cache status of the object, which indicates the reasons why the object was or was not cached. The number logged is the sum of the values for all the conditions that are met. A table of the possible values is provided in Web proxy cache log values.
23	Rule	rule	The rule that either allowed or denied access to the request, as follows: If an outgoing request was allowed, this field indicates the access rule that allowed the request. If an outgoing request was denied by a policy rule, this field indicates the access rule that blocked the request. If an incoming request was denied by a policy rule, this field indicates the Web publishing or server publishing rule that denied the request. If Forefront TMG denied the connection for any reason other than a policy rule (for example due to an intrusion attempt or exceeding a flood resiliency threshold) this field contains a hyphen (-), and the Result Code field (bit 21) indicates the reason.
24	Filter Information	FilterInfo	Information supplied by a Web filter. For example, if HTTP Filter rejected a request, this field contains the reason for the rejection.
25	Source Network	cs-Network	The network from which the request originated.
26	Destination Network	sc-Network	The network for which the request was destined.
27	Error information	error-info	A 32-bit bitmask that provides additional information about the request that can help identify the source of the error if an error occurred. A table of the possible bit fields is provided in Web proxy error log values.
28	Action	action	The action performed by the Microsoft Firewall Service for the current session or connection. The possible values are defined in the FpcAction enumerated type.
29	GMT Log Time	GmtLogTime	The date and time in Coordinated Universal Time (UTC) when the log entry was made.
30	Authentication Server	AuthenticationServer	The name of the authentication server.
31	NIS Scan Result	NIS scan result	The result of NIS scanning of the traffic or the connection (inspected/detected/blocked).
32	NIS Signature	NIS signature	The NIS signature detected that resulted in the traffic been blocked.
33	Threat Name	ThreatName	The string describing the threat.
34	Malware Inspection Action	MalwareInspectionAction	Describes the action performed on the inspection content. Possible values are Allowed, Cleaned or Blocked.
35	Malware Inspection Result	MalwareInspectionActionResult	Describes the outcome of the malware inspection process. Possible values include: No Violation Detected Low and Medium Level Threats Not Blocked Infected File Suspicious File Encrypted File Maximum Archive Nesting Exceeded Maximum Size Exceeded Maximum Unpacked File Size Exceeded Unknown Encoding Corrupted File Time Out Storage Space Limit Exceeded Unknown Malware Inspection Disabled Malware Inspection Disabled for the Matching Policy Rule Malware Inspection Disabled for the Matching Web Chaining Rule Destination Included in Malware Inspection Exceptions List Response Originated from Proxy Server Request Served by Malware Inspection Web Filter Request/Response Pair Identified as Exempted Protocol Message Response Identified as a 200 Response to a CONNECT Request Response Scanned Before Being Routed by CARP (this is not relevant for Forefront TMG in the Essential Business Server scenario.
36	URL Category	UrlCategory	Specifies the URL category that is assigned to the requested URL.
37	Content Delivery Method	MalwareInspectionContentDeliveryMethod	Specifies whether users were informed by trickling partial content, or progress notifications.
38	UAG Array Id	UAG Array ID	The array name of the message's array context.
39	UAG Version	Not in use.
40	UAG Module Id	UAG module name	The name of the module that produced the message.
41	UAG Id	Not in use.
42	UAG Severity	UAG message severity	The message severity (Error, Warning, Information, Notice).
43	UAG Type	Type of message	The type of the message (Security, Application, System, Session).
44	UAG Event Name	Not in use.
45	UAG Session Id	UAG session ID	The ID of the session which is the context of the message.
46	UAG Trunk Name	UAG trunk name	The name of the trunk which is the context of the message.
47	UAG Service Name	UAG service name	The name of the UAG service that generated the message.
48	UAG Error Code	UAG message ID	Specifies the UAG message ID.
49	Malware Inspection Duration (msec)	MalwareInspectionDuration	Specifies the inspection duration in milliseconds. If content is not inspected, 0 is shown. Inspected content shows a minimum value of 1.
50	Threat Level	MalwareInspectionThreatLevel	Shows the threat level. Possible values include: Low Medium High Severe
51	Internal Service Info Log Fields	internal-service-info	Internal
52	NIS Application Protocol	NIS application protocol	The application protocol in which NIS detected the signature.
53	NAT Address	NAT Address	Public IP address used as a source IP for outbound traffic.
54	URL Categorization Reason	UrlCategorizationReason	The reason for the URL categorizations. Possible values include: For successful categorizations: From overrides From cache From Web service For unknown: Feature disabled Not in database Connection error Web service down License expired