You are on page 1of 8

Microsoft Internet Security and Acceleration Server 2004/2006 SDK

Web Proxy Log Fields


The following table lists the log fields that can be included in ISA Server Web proxy log entries by setting
the corresponding bit in the LogFieldSelection [ http://msdn.microsoft.com/en-us/library/ms819014
(printer).aspx ] property of the FPCLog [ http://msdn.microsoft.com/en-us/library/ms819023
(printer).aspx ] object for Web proxy logging.
2008 Microsoft Corporation. All rights reserved.
Bit
number
Field name
(log viewer)
Field name
(MSDE databases)
Field name
(W3C files) Description
0 Client IP ClientIP c-ip The Internet Protocol (IP)
[ http://msdn.microsoft.com/en-
us/library/aa503230
(printer).aspx ] address of the
requesting client.
1 Client
Username
ClientUserName cs-username The account of the user making
the request. A question mark (?)
next to the user name indicates
that the user name was sent but
the user was not authenticated
by ISA Server. If ISA Server
access control is not being used,
ISA Server uses Anonymous.
2 Client Agent ClientAgent c-agent The name and version of the
client application sent by the
client in the Hypertext Transfer
Protocol (HTTP)
[ http://msdn.microsoft.com/en-
us/library/ms826764
(printer).aspx ] User-Agent
header. When ISA Server is
actively caching, this field is set
to ISA Server.
3 Authenticated
Client
ClientAuthenticate sc-authenticated A value that indicates whether
the client has been
authenticated with the ISA
Server computer. Possible
values are Y and N.
4 Log Date logTime date The date on which the logged
event occurred. In the MSDE
format, both the date and the
local time are included in the
single logTime field, and the bits
for both the date and time fields
must be set.
5 Log Time logTime time The local time when the logged
event occurred. In the W3C
extended file format and in
ODBC-compliant SQL Server
databases, this time is in
Coordinated Universal Time
(UTC). In the MSDE format, both
Pgina 1 de 8 Web Proxy Log Fields
03/07/2008 http://msdn.microsoft.com/en-us/library/aa503433(printer).aspx
the date and the local time are
included in the single logTime
field, and the bits for both the
date and time fields must be
set.
6 Service service s-svcname The name of the service that is
logged. For example, fwsrv
indicates the Microsoft Firewall
service.
7 Server Name servername s-computername The name of the ISA Server
computer. This is the computer
name assigned in Windows
Server 2003 and Windows 2000.
8 Referring
Server
referredserver cs-referred The URL
[ http://msdn.microsoft.com/en-
us/library/aa503419
(printer).aspx ] of the resource
that supplied the requested URL
to the client, as indicated in the
Referrer header of the request
(not supported in ISA
Server 2004).
9 Destination
Host Name
DestHost r-host The domain name for the
remote computer that provides
service to the current
connection. A hyphen (-) in this
field may indicate that an object
was retrieved from the local
cache and not from the
destination.
10 Destination IP DestHostIP r-ip The network IP address of the
remote computer that provides
service to the current
connection. A hyphen (-) in this
field may indicate that an object
was sourced from the local
cache and not from the
destination. One exception is
negative caching
[ http://msdn.microsoft.com/en-
us/library/aa503250
(printer).aspx ] . In that case,
this field contains a destination
IP address for which a negative
cached object was returned.
11 Destination
Port
DestHostPort r-port The reserved port number
[ http://msdn.microsoft.com/en-
us/library/aa503258
(printer).aspx ] on the remote
computer that provides service
to the current connection. This is
used by the client application
initiating the request.
12 Processing
Time
processingtime time-taken The total time, in milliseconds,
that is needed by ISA Server to
process the current connection.
Pgina 2 de 8 Web Proxy Log Fields
03/07/2008 http://msdn.microsoft.com/en-us/library/aa503433(printer).aspx
It measures the time elapsed
from the time when the server
first receives the request to the
time when final processing
occurs on the serverwhen
results are returned to the client
and the connection is closed.
For cache requests that are
processed through the ISA
Server Web proxy, the
processing time measures the
elapsed server time needed to
fully process a client request
and return an object from the
server cache to the client.
13 Bytes
Received
bytesrecvd cs-bytes The number of bytes sent from
the remote computer and
received by the client during the
current connection. A hyphen (-
), a zero (0), or a negative
number in this field indicates
that this information was not
provided by the remote
computer or that no bytes were
received from the remote
computer.
14 Bytes Sent bytessent sc-bytes The number of bytes sent from
the client to the remote
computer during the current
connection. A hyphen (-), a zero
(0), or a negative number in this
field indicates that this
information was not provided by
the remote computer or that no
bytes were sent to the remote
computer.
15 Protocol protocol cs-protocol The application protocol used for
the connection. Common values
are http for Hypertext Transfer
Protocol, https for Secure HTTP,
and ftp for File Transfer Protocol
[ http://msdn.microsoft.com/en-
us/library/ms826736
(printer).aspx ] .
16 Transport transport cs-transport The transport protocol used for
the connection. Common values
are Transmission Control
Protocol (TCP)
[ http://msdn.microsoft.com/en-
us/library/aa503408
(printer).aspx ] and User
Datagram Protocol (UDP)
[ http://msdn.microsoft.com/en-
us/library/aa503419
(printer).aspx ] .
17 HTTP Method operation s-operation The HTTP method used.
Pgina 3 de 8 Web Proxy Log Fields
03/07/2008 http://msdn.microsoft.com/en-us/library/aa503433(printer).aspx
Common values are GET, PUT,
POST, and HEAD.
18 URL uri cs-uri The URL requested.
19 MIME Type mimetype cs-mime-type The Multipurpose Internet Mail
Extensions (MIME)
[ http://msdn.microsoft.com/en-
us/library/aa503246
(printer).aspx ] type for the
current object. This field may
also contain a hyphen (-) to
indicate that this field is not
used or that a valid MIME type
was not defined or supported by
the remote computer.
20 Object Source objectsource s-object-source The type of source that was
used to retrieve the current
object. A table of some possible
values is provided in Object
Source Values.
21 Result Code resultcode sc-status A Windows (Win32) error code
(for values less than 100), an
HTTP status code (for values
between 100 and 1,000), a
Winsock error code (for values
between 10,004 and 11,031), or
an ISA Server error code. A
table of some possible values is
provided in Result Code Values.
For more information about ISA
Server error codes, see Error
Codes
[ http://msdn.microsoft.com/en-
us/library/ms812624
(printer).aspx ] .
22 Cache Info CacheInfo s-cache-info A number reflecting the cache
status of the object, which
indicates the reasons why the
object was or was not cached.
The number logged is the sum
of the values for all the
conditions that are met. A table
of the possible values is
provided in Cache Information
Values.
23 Rule rule rule The rule that either allowed or
denied access to the request, as
follows:

If an outgoing request was
allowed, this field indicates
the access rule that
allowed the request.
If an outgoing request was
denied by a policy rule, this
field indicates the access
rule that blocked the
Pgina 4 de 8 Web Proxy Log Fields
03/07/2008 http://msdn.microsoft.com/en-us/library/aa503433(printer).aspx
request.
If an incoming request was
denied by a policy rule, this
field indicates the Web
publishing or server
publishing rule that denied
the request.
If ISA Server denied the
connection for any reason
other than a policy rule,
this field contains a hyphen
(-), and the Result Code
field indicates the reason.
24 Filter
Information
FilterInfo FilterInfo Information supplied by a Web
filter. For example, if HTTP Filter
rejected a request, this field
contains the reason for the
rejection.
25 Source
Network
SrcNetwork cs-Network The network from which the
request originated.
26 Destination
Network
DstNetwork sc-Network The network to which the
request was sent.
27 Error info
(ErrorInfo)
ErrorInfo error-info A 32-bit bitmask that provides
additional information about the
request that can help identify
the source of the error if an
error occurred. A table of the
possible bit fields is provided in
Error Information Bit Fields.
28 Action Action action The action performed by the
Microsoft Firewall service
[ http://msdn.microsoft.com/en-
us/library/aa503246
(printer).aspx ] for the current
session or connection. The
possible values are defined in
the FpcAction
[ http://msdn.microsoft.com/en-
us/library/ms813019
(printer).aspx ] enumerated
type. Note that strings
representing these values are
displayed in the log viewer.
29 GMT Log Time GmtLogTime GmtLogTime The date and time in
Coordinated Universal Time
(UTC) when the log entry was
made (not available in ISA
Server 2004 Standard Edition).
30 Authentication
Server
AuthenticationServer AuthenticationServer The name of the LDAP
[ http://msdn.microsoft.com/en-
us/library/aa503238
(printer).aspx ] server or
RADIUS
[ http://msdn.microsoft.com/en-
us/library/aa503377
(printer).aspx ] server that was
Pgina 5 de 8 Web Proxy Log Fields
03/07/2008 http://msdn.microsoft.com/en-us/library/aa503433(printer).aspx
Object Source Values
Result Code Values
used for authentication
(introduced in ISA Server 2006).
Source
values Description
0 No source information is available.
Cache Source is the cache. Object returned from cache.
Inet Source is the Internet. Object added to cache.
Member Returned from another array member.
NotModified Source is the cache. Client performed an If-Modified-Since request and object had not
been modified.
NVCache Source is the cache. Object could not be verified to source.
Upstream Object returned from an upstream proxy cache.
Vcache Source is the cache. Object was verified to source and had not been modified.
VFInet Source is the Internet. Cached object was verified to source and had been modified.
Value Description
0 The operation completed successfully.
200 OK.
201 Created.
202 Accepted.
204 No content.
301 Moved permanently.
302 Moved temporarily.
304 Not modified.
400 Bad request.
401 Unauthorized.
403 Forbidden.
404 Not found.
500 Server error.
501 Not implemented.
502 Bad gateway.
503 Out of resources.
995 Operation aborted.
10060 A connection timed out.
Pgina 6 de 8 Web Proxy Log Fields
03/07/2008 http://msdn.microsoft.com/en-us/library/aa503433(printer).aspx
Cache Information Values
10061 A connection was refused by the destination host.
10065 No route to host.
11001 Host not found.
12217 The request was rejected by HTTP Filter.
Value Description
0x00000001 Request should not be served from the cache.
0x00000002 Request includes the IF-MODIFIED-SINCE header.
0x00000004 Request includes one of these headers: CACHE-CONTROL:NO-CACHE or PRAGMA:NO-
CACHE.
0x00000008 Request includes the AUTHORIZATION header.
0x00000010 Request includes the VIA header.
0x00000020 Request includes the IF-MATCH header.
0x00000040 Request includes the RANGE header.
0x00000080 Request includes the CACHE-CONTROL: NO-STORE header.
0x00000100 Request includes the CACHE-CONTROL: MAX-AGE, or CACHE-CONTROL: MAX-STALE, or
CACHE-CONTROL: MIN-FRESH header.
0x00000200 Cache could not be updated.
0x00000400 IF-MODIFIED-SINCE time specified in the request is newer than cached LASTMODIFIED
time.
0x00000800 Request includes the CACHE-CONTROL: ONLY-IF-CACHED header.
0x00001000 Request includes the IF-NONE-MATCH header.
0x00002000 Request includes the IF-UNMODIFIED-SINCE header.
0x00004000 Request includes the IF-RANGE header.
0x00008000 More than one VARY header.
0x00010000 Response includes the CACHE-CONTROL: PUBLIC header.
0x00020000 Response includes the CACHE-CONTROL: PRIVATE header.
0x00040000 Response includes the CACHE-CONTROL: NO-CACHE or PRAGMA: NO-CACHE header.
0x00080000 Response includes the CACHE-CONTROL: NO-STORE header.
0x00100000 Response includes either the CACHE-CONTROL: MUST-REVALIDATE or CACHE-CONTROL:
PROXY-REVALIDATE header.
0x00200000 Response includes the CACHE-CONTROL: MAX-AGE or S-MAXAGE header.
0x00400000 Response includes the VARY header.
0x00800000 Response includes the LAST-MODIFIED header.
0x01000000 Response includes the EXPIRES header.
0x02000000 Response includes the SET-COOKIE header.
0x04000000 Response includes the WWW-AUTHENTICATE header.
Pgina 7 de 8 Web Proxy Log Fields
03/07/2008 http://msdn.microsoft.com/en-us/library/aa503433(printer).aspx
Error Information Bit Fields
See Also
Log Fields [ http://msdn.microsoft.com/en-us/library/aa503237(printer).aspx ]
0x08000000 Response includes the VIA header.
0x10000000 Response includes the AGE header.
0x20000000 Response includes the TRANSFER-ENCODING header.
0x40000000 Response should not be cached.
Value Descriptive code
0x00000001 ERROR_INFO_IO_RECV_FROM_CLIENT
0x00000002 ERROR_INFO_IO_SEND_TO_CLIENT
0x00000004 ERROR_INFO_IO_SEND_TO_SERVER
0x00000008 ERROR_INFO_IO_RECV_FROM_SERVER
0x00000010 ERROR_INFO_DEST_IS_MEMBER
0x00000020 ERROR_INFO_CLIENT_IS_MEMBER
0x00000040 ERROR_INFO_DURING_CONNECT
0x00000080 ERROR_INFO_CLIENT_KA
0x00000100 ERROR_INFO_SERVER_KA
0x00000200 ERROR_INFO_REQUEST_HAS_BODY
0x00000400 ERROR_INFO_RESPONSE_HAS_BODY
0x00000800 ERROR_INFO_IP_FROM_DNS_CACHE
Pgina 8 de 8 Web Proxy Log Fields
03/07/2008 http://msdn.microsoft.com/en-us/library/aa503433(printer).aspx