Internet Connection Firewall security log file overview
The Internet Connection Firewall (ICF) security log allows advanced users to choose which information to log. With ICF security logging you can:
| • | Log dropped packets. This will log all dropped packets that originate from either the home or small office network or the Internet. |
| • | Log successful connections. This will log all successful connections that originate from either the home or small office network or the Internet. |
When you select the Log dropped packets check box, information is collected about each attempt by traffic to travel across the firewall that is detected and denied by ICF. For example, if your Internet Control Message Protocol (ICMP) settings are not set to allow incoming echo requests, such as those sent out by the Ping, and Tracert commands, and an echo request from outside your network is received, the echo request is dropped, and an entry is made in the log.
When you select the Log successful outbound connections check box, information is collected about each successful connection to travel across the firewall. For example, when anyone on your network successfully connects with a Web site using Internet Explorer, an entry is produced in the log.
The security log is produced using the W3C Extended Log File Format, a format similar to the format that is used in common log analysis tools. For information about how to view an ICF security log, see View the security log To save the firewall log using your choice of name and location, see Change the path and file name of the security log
The Internet Connection Firewall security log has two sections:
| • | The header provides information about the version of the security log and the fields that are available for data entry. The header information is presented as a static list. |
| • | The body of the security log is the compiled data that is entered as a result of traffic attempting to cross the firewall. The fields in the security log are entered from left to right across the page. The body of the security log is a dynamic list, new data entries are entered at the bottom of the log. One or both of the logging options must be selected in order for data to be entered into the security log. See Enable security log options |
ICF security logging is not enabled by default.
The following tables define the information that is kept in the security log:
Header information
Item
Description
Example
#Version:Displays which edition of the Internet Connection Firewall security log is installed.1.0#Software:Provides the name of the security logMicrosoft Internet Connection Firewall.#Time:Indicates that all of the timestamps in the log are in local time.Local#Fields:Displays a static list of fields that are available for security log entries, if data is available.date, time, action, protocol, src-ip, dst-ip, src-port, dst-port, size, tcpflags, tcpsyn, tcpack, tcpwin, icmptype, icmpcode, and info
Body data
Fields
Description
Example
dateSpecifies the year, month, and day that the recorded transactions occurred. Dates are recorded in the format:
YY-MM-DD,
where YY is the year, MM is the month, and DD is the day.2001-01-27timeSpecifies the hour, minute, and seconds at which the recorded transaction occurred. Times are recorded in the format:
HH:MM:SS,
where HH is the hour in 24 hour format, MM is minutes, and SS is seconds.21:36:59 actionSpecifies which operation was observed by the firewall. The options available to the firewall are OPEN, CLOSE, DROP, and INFO-EVENTS-LOST. An INFO-EVENTS-LOST action indicates the number of events that happened but were not placed in the log.OPEN, CLOSE, DROP, and INFO-EVENTS-LOSTprotocolSpecifies which protocol was used for the communication. A protocol entry can also be a number for packets that are not TCP, UDP, or ICMP.TCP, UDP, ICMPsrc-ipSpecifies the source IP address (the IP address of the computer attempting to establish communications). The source IP is recorded in the format
(number).(number).(number).(number)
192.168.0.1dst-ipSpecifies the destination IP address (the IP address of the destination of a communication attempt). The destination IP is recorded in the format
(number).(number).(number).(number)
192.168.0.1src-portSpecifies the source port number of the sending computer. A src-port entry is recorded in the form of a whole number, ranging from 1 to 65,535. Only TCP and UDP will return a valid src-port entry. All other protocols are invalid for src-port, and will result in an entry of -.4039dst-portSpecifies the port of the destination computer. A dst-port entry is recorded in the form if a whole number, ranging from 1 to 65,535. Only TCP and UDP will return a valid dst-port entry. All other protocols are invalid for dst-port, and will result in an entry of -.53sizeSpecifies the packet size in Bytes60tcpflagsSpecifies the TCP control flags found in the TCP header of an IP packet:
| • | Ack Acknowledgment field significant |
| • | Fin No more data from sender |
| • | Psh Push Function |
| • | Rst Reset the connection |
| • | Syn Synchronize sequence numbers |
| • | Urg Urgent Pointer field significant |
Flags are written as uppercase letters. The entry information for tcpflags is provided for users with an in depth knowledge of Transmission Control Protocol (TCP). Additional information about TCP can be found in RFC 793.AFPtcpsynSpecifies the TCP sequence number in the packet. The entry information for tcpsyn is provided for users with an in depth knowledge of TCP.1315819770tcpackSpecifies the TCP acknowledgement number in the packet. The entry information for tcpack is provided for users with an in depth knowledge of TCP.0tcpwinSpecifies the TCP window size in bytes in the packet. The entry information for tcpack is provided for users with an in depth knowledge of TCP.64240icmptypeSpecifies a number that represents the Type field of the ICMP message.8icmpcodeSpecifies a number that represents the Code field of the ICMP message.0infoSpecifies an information entry that depends on the type of action that occurred. For example, an INFO-EVENTS-LOST action will cause an entry of the number of events that happened, but were not placed in the log from the time of the last occurrence of this event type.23
The character (-) is used for fields where no information is available for an entry.
Note
| • | You can obtain RFCs from the RFC Editor Web site. This Web site is currently maintained by members of the Information Sciences Institute (ISI) who publish a classified listing of all RFCs. RFCs are classified as one of the following: approved Internet standards, proposed Internet standards (circulated in draft form for review), Internet best practices, or For Your Information (FYI) documents. |
| • | Internet Connection Sharing, Internet Connection Firewall, Discovery and Control, and Network Bridge are not available on Windows XP 64-Bit Edition. |
Home and small office networking components overview
Internet Connection Firewall overview
Enable security logging options