Internet Connection Firewall security log file overview
The Internet Connection Firewall (ICF) security log allows advanced users to choose which information to log. With ICF security logging you can:
When you select the Log dropped packets check box, information is collected about each attempt by traffic to travel across the firewall that is detected and denied by ICF. For example, if your Internet Control Message Protocol (ICMP) settings are not set to allow incoming echo requests, such as those sent out by the Ping, and Tracert commands, and an echo request from outside your network is received, the echo request is dropped, and an entry is made in the log.
When you select the Log successful outbound connections check box, information is collected about each successful connection to travel across the firewall. For example, when anyone on your network successfully connects with a Web site using Internet Explorer, an entry is produced in the log.
The security log is produced using the W3C Extended Log File Format, a format similar to the format that is used in common log analysis tools. For information about how to view an ICF security log, see View the security log To save the firewall log using your choice of name and location, see Change the path and file name of the security log
The Internet Connection Firewall security log has two sections:
ICF security logging is not enabled by default.
The following tables define the information that is kept in the security log:
#Version:Displays which edition of the Internet Connection Firewall security log is installed.1.0#Software:Provides the name of the security logMicrosoft Internet Connection Firewall.#Time:Indicates that all of the timestamps in the log are in local time.Local#Fields:Displays a static list of fields that are available for security log entries, if data is available.date, time, action, protocol, src-ip, dst-ip, src-port, dst-port, size, tcpflags, tcpsyn, tcpack, tcpwin, icmptype, icmpcode, and info
dateSpecifies the year, month, and day that the recorded transactions occurred. Dates are recorded in the format:
where YY is the year, MM is the month, and DD is the day.2001-01-27timeSpecifies the hour, minute, and seconds at which the recorded transaction occurred. Times are recorded in the format:
where HH is the hour in 24 hour format, MM is minutes, and SS is seconds.21:36:59 actionSpecifies which operation was observed by the firewall. The options available to the firewall are OPEN, CLOSE, DROP, and INFO-EVENTS-LOST. An INFO-EVENTS-LOST action indicates the number of events that happened but were not placed in the log.OPEN, CLOSE, DROP, and INFO-EVENTS-LOSTprotocolSpecifies which protocol was used for the communication. A protocol entry can also be a number for packets that are not TCP, UDP, or ICMP.TCP, UDP, ICMPsrc-ipSpecifies the source IP address (the IP address of the computer attempting to establish communications). The source IP is recorded in the format
192.168.0.1dst-ipSpecifies the destination IP address (the IP address of the destination of a communication attempt). The destination IP is recorded in the format
192.168.0.1src-portSpecifies the source port number of the sending computer. A src-port entry is recorded in the form of a whole number, ranging from 1 to 65,535. Only TCP and UDP will return a valid src-port entry. All other protocols are invalid for src-port, and will result in an entry of -.4039dst-portSpecifies the port of the destination computer. A dst-port entry is recorded in the form if a whole number, ranging from 1 to 65,535. Only TCP and UDP will return a valid dst-port entry. All other protocols are invalid for dst-port, and will result in an entry of -.53sizeSpecifies the packet size in Bytes60tcpflagsSpecifies the TCP control flags found in the TCP header of an IP packet:
Flags are written as uppercase letters. The entry information for tcpflags is provided for users with an in depth knowledge of Transmission Control Protocol (TCP). Additional information about TCP can be found in RFC 793.AFPtcpsynSpecifies the TCP sequence number in the packet. The entry information for tcpsyn is provided for users with an in depth knowledge of TCP.1315819770tcpackSpecifies the TCP acknowledgement number in the packet. The entry information for tcpack is provided for users with an in depth knowledge of TCP.0tcpwinSpecifies the TCP window size in bytes in the packet. The entry information for tcpack is provided for users with an in depth knowledge of TCP.64240icmptypeSpecifies a number that represents the Type field of the ICMP message.8icmpcodeSpecifies a number that represents the Code field of the ICMP message.0infoSpecifies an information entry that depends on the type of action that occurred. For example, an INFO-EVENTS-LOST action will cause an entry of the number of events that happened, but were not placed in the log from the time of the last occurrence of this event type.23
The character (-) is used for fields where no information is available for an entry.