ISA Server Enterprise Edition > Concepts > Using ISA Server > Monitoring and Reporting > Logging

Firewall and Web Proxy log fields

You can use the Microsoft Internet Security and Acceleration (ISA) Server log to monitor and analyze the status of the Firewall and Web Proxy services.

The table below lists the fields that you can include in each of the ISA Server log files. For configuration instructions, see Specify fields to log. The field name noted in parentheses is relevant when you use the World Wide Web Consortium (W3C) extended log file format.

Some fields are relevant for either Web Proxy Service or Firewall Service, but not both. In this case, the table indicates which service the field applies to. Note that, in ISA Server log format, the field will appear in the log with a hyphen (-). In W3C log file format, the field will not appear at all, if it is not applicable to the service.

Field position

Descriptive name (field name)

Description

Client IP
(c-ip)

The Internet Protocol (IP) address of the requesting client.

Client user name
(cs-username)

Account of the user making the request. If ISA Server Access Control is not being used, ISA Server uses anonymous.

Client agent
(c-agent)

The client application type sent by the client in the Hypertext Transfer Protocol (HTTP) header. When ISA Server is actively caching, the client agent is ISA Server.
For Firewall service, this field includes information about the client's operating system. Click here to see a table of possible values.

Authentication status
(sc-authenticated)

Indicates whether or not client has been authenticated with ISA Server. Possible values are Y and N.

Date
(date)

The date that the logged event occurred.

Time
(time)

The time that the logged event occurred. In W3C format, this is in Greenwich mean time.

Service name
(s-svcname)

The name of the service that is logged.

•	w3proxy indicates outgoing Web requests to the Web Proxy service.
•	fwsrv indicates Firewall service.
•	w3reverseproxy indicates incoming Web requests to the Web Proxy service.

Proxy name
(s-computername)

The name of the computer running ISA Server. This is the computer name that is assigned in Windows 2000.

Referring server name
(cs-referred)

If ISA Server is used upstream in a chained configuration, this indicates the server name of the downstream server that sent the request.

Destination name
(r-host)

The domain name for the remote computer that provides service to the current connection. For the Web Proxy service, a hyphen (-) in this field may indicate that an object was retrieved from the Web Proxy server cache and not from the destination.

Destination IP
(r-ip)

The network IP address for the remote computer that provides service to the current connection. For the Web Proxy service, a hyphen (-) in this field may indicate that an object was sourced from the Web Proxy server cache and not from the destination. One exception is negative caching. In that case, this field indicates a destination IP address for which a negative-cached object was returned.

Destination port
(r-port)

The reserved port number on the remote computer that provides service to the current connection. This is used by the client application initiating the request.

Processing time
(time-taken)

This indicates the total time, in milliseconds, that is needed by ISA Server to process the current connection. It measures elapsed server time from the time that the server first received the request to the time when final processing occurred on the server—when results were returned to the client and the connection was closed.

For cache requests that were processed through the Web Proxy service, processing time measures the elapsed server time needed to fully process a client request and return an object from the server cache to the client.

Bytes sent
(cs-bytes)

The number of bytes sent from the internal client to the external server during the current connection. A hyphen (-), a zero (0), or a negative number in this field indicates that this information was not provided by the remote computer or that no bytes were sent to the remote computer.

Bytes received
(sc-bytes)

The number of bytes sent from the external computer and received by the client during the current connection. A hyphen (-), a zero (0), or a negative number in this field indicates that this information was not provided by the remote computer or that no bytes were received from the external computer.

Protocol name
(cs-protocol)

Specifies the application protocol used for the connection. Common values are HTTP, File Transfer Protocol (FTP), Gopher, and Secure Hypertext Transfer Protocol (HTTPS).
For Firewall service, the port number is also logged.

Transport
(cs-transport)

Specifies the transport protocol used for the connection. Common values are Transmission Control Protocol (TCP) and User Datagram Protocol (UDP).

Operation
(s-operation)

Specifies the application method used. For Web Proxy, common values are GET, PUT, POST, and HEAD.
For Firewall service, common values are CONNECT, BIND, SEND, RECEIVE, GHBN (GetHostByName), and GHBA (GetHostByAddress).

Object name
(cs-uri)

For the Web Proxy service, this field shows the contents of the URL request. This field applies only to the Web Proxy service log.

Object MIME
(cs-mime-type)

The Multipurpose Internet Mail Extensions (MIME) type for the current object. This field may also contain a hyphen (-) to indicate that this field is not used or that a valid MIME type was not defined or supported by the remote computer. This field applies only to the Web Proxy service log.

Object source
(s-object-source)

Indicates the source that was used to retrieve the current object. This field applies only to the Web Proxy service log. Click here to see a table of some possible values.

Result code
(sc-status)

This field can be used to indicate:

•	For values less than 100, a Windows (Win32) error code
•	For values between 100 and 1,000, an HTTP status code
•	For values between 10,000 and 11,004, a Winsock error code

Click here to see a table of some possible values.

Cache info
(s-cache-info)

This number reflects the cache status of the object, which indicates why the object was or was not cached. This field applies only to the Web Proxy service log. Click here to see a table of some possible values.

Rule #1
(rule#1)

This reflects the rule that either allowed or denied access to the request, as follows:

•	If an outgoing request is allowed, this field reflects the protocol rule that allowed the request.
•	If an outgoing request is denied by a protocol rule, this field reflects the protocol rule.
•	If an outgoing request is denied by a site and content rule, this field reflects the protocol rule that would have allowed the request.
•	If an incoming request was denied, this field reflects the Web publishing or server publishing rule that denied the request.
•	If no rule specifically allowed the outgoing or incoming request, the request is denied. In this case, the field is empty.

Rule #2
(rule#2)

This reflects the second rule that either allowed or denied access to the request.

•	If an outgoing request is allowed, this field reflects the site and content rule that allowed the request.
•	If an outgoing request is denied by a site and content rule, this field reflects the site and content rule that denied the request.
•	If no rule specifically allowed the outgoing or incoming request, the request is denied. In this case, the field is empty.

Session ID
(sessionid)

This identifies a session's connections. For Firewall clients, each process that connects through the Firewall service initiates a session. For secure network address translation (SecureNAT) clients, a single session is opened for all the connections that originate from the same IP address. This field is not included in the Web Proxy service log. This field applies only to the Firewall service log.

Connection ID
(connectionid)

This identifies entries that belong to the same socket. Outbound TCP usually has two entries for each connection: when the connection is established and when the connection is terminated. UDP usually has two entries for each remote address. This field is not included in the Web Proxy service log. This field applies only to the Firewall service log.

Object source values

Source values	Description
0	No source information is available.
Cache	Source is the cache. Object returned from cache.
Inet	Source is the Internet. Object added to cache.
Member	Returned from another array member.
NotModified	Source is the cache. Client performed an If-Modified-Since request and object had not been modified.
NVCache	Source is the cache. Object could not be verified to source.
Upstream	Object returned from an upstream proxy cache.
Vcache	Source is the cache. Object was verified to source and had not been modified.
VFInet	Source is the Internet. Cached object was verified to source and had been modified.

Click here to return to ISA Server log file fields.

Top of page

Result code values

Value	Description
200	OK - Successful connection
201	Created
202	Accepted
204	No content
301	Moved permanently
302	Moved temporarily
304	Not modified
400	Bad request
401	Unauthorized
403	Forbidden
404	Not found
500	Internal server error
501	Not implemented
502	Bad gateway
503	Service unavailable
10060	Connection timed out
10061	Connection refused by destination
10065	Host unreachable
11001	Host not found

Click here to return to ISA Server log file fields.

Top of page

Cache info values

Value	Description
0x00000001	Request should not be served from the cache
0x00000002	Request includes the IF-MODIFIED-SINCE header
0x00000004	Request includes one of these headers: CACHE-CONTROL:NO-CACHE or PRAGMA:NO-CACHE
0x00000008	Request includes the AUTHORIZATION header
0x00000010	Request includes the VIA header
0x00000020	Request includes the IF-MATCH header
0x00000040	Request includes the RANGE header
0x00000080	Request includes the CACHE-CONTROL: NO-STORE header
0x00000100	Request includes the CACHE-CONTROL: MAX-AGE, or CACHE-CONTROL: MAX-STALE or CACHE-CONTROL: MIN-FRESH header
0x00000200	Cache could not be updated.
0x00000400	IF-MODIFIED-SINCE time specified in the request is newer than cached LASTMODIFIED time
0x00000800	Request includes the CACHE-CONTROL: ONLY-IF-CACHED header
0x00001000	Request includes the IF-NONE-MATCH header
0x00002000	Request includes the IF-UNMODIFIED-SINCE header
0x00004000	Request includes the IF-RANGE header
0x00008000	More than one VARY header
0x00010000	Response includes the CACHE-CONTROL: PUBLIC header
0x00020000	Response includes the CACHE-CONTROL: PRIVATE header
0x00040000	Response includes the CACHE-CONTROL: NO-CACHE or PRAGMA: NO-CACHE header

0x00080000	Response includes the CACHE-CONTROL: NO-STORE header
0x00100000	Response includes either the CACHE-CONTROL: MUST-REVALIDATE or CACHE-CONTROL: PROXY-REVALIDATE header
0x00200000	Response includes the CACHE-CONTROL: MAX-AGE or S-MAXAGE header
0x00400000	Response includes the VARY header
0x00800000	Response includes the LAST-MODIFIED header
0x01000000	Response includes the EXPIRES header
0x02000000	Response includes the SET-COOKIE header
0x04000000	Response includes the WWW-AUTHENTICATE header
0x08000000	Response includes the VIA header
0x10000000	Response includes the AGE header
0x20000000	Response includes the TRANSFER-ENCODING header
0x40000000	Response should not be cached.

Click here to return to ISA Server log file fields.

Top of page

Operating system values

Value	Description
0:3.95	Windows 95 (16-bit)
2:4.10	Windows 98 (32-bit)
2:4.0	Windows 95 (32-bit)
3:4.0	Windows NT 4.0
3:5.0	Windows 2000

Click here to return to Client agent.

Top of page