Select the product you need help with
- Internet Explorer
- Windows Phone
- More products
A Description of the Various Log Files and Fields
Article ID: 284818 - View products that this article applies to.
This article was previously published under Q284818
This article describes the various log files and fields. This information is a supplement to the Internet Security and Acceleration (ISA) Server product documentation.
Packet Filters LogThe ISA Server packet filter log contains entries about the packets that had been handled by the ISA Server packet filter. By default, only "dropped" packets are logged. If an administrator wants to log all of the packets that are dropped and enabled by the firewall, the administrator can enable that option in the IP packet filters dialog box:
Log Event Dispositions
ISA Server Firewall Service LogThere are two fields: Bytes that are sent (cs-bytes) and the bytes that are received (sc-bytes). These two fields provide valuable information about the connection, for example, the actual amount of data and the direction of data that has been either sent or received. These fields indicate the data size for the individual loggings. For the outbound User Datagram Protocol (UDP) traffic, the last log entry summarizes the traffic on the connection.
Operation Field (s-operation)The following operations may be displayed in the firewall log operation field:
"Connect" - Transmission Control Protocol (TCP) connection request (outgoing)
"Bind" - Internal firewall service operation (port bind request)
"Listen" - Internal firewall service operation (listen on specific port)
"Accept" - TCP connection request (incoming)
"UdpMap" - A UDP mapping has been created
"GHBN" - Get host by name request
"GHBA" - Get host by address request
Result Code (sc-status)The following additional result codes that relate to the logged event may be displayed. Other values may seem to indicate a Web request status result or a communications error code. Refer to the ISA Server product documentation for a list of other possible values.
"0" - Operation had been successful
"13301" - Request denied by the firewall policy
"20000" - Connection terminated normally
"20001" - Connection terminated abnormally
"20002" - Malformed request packet
Other result codes (sc-status):
http://msdn2.microsoft.com/en-us/library/ms694351.aspxFor information about Winsock error code definitions, visit the following Microsoft Web site:
Rule#1 and Rule#2 FieldsThese two fields specify the rule that either accepted or denied the request. If a rule is not mentioned for a denied request, an implicit denial occurred (for the default behavior, if a rule does not enable certain traffic, the request is rejected). Refer to the ISA Server product documentation for a complete explanation of those fields.
Analyzing TCP TrafficIn the case of TCP traffic, the firewall log can indicate a "connect" operation (outbound access) or an "accept" operation (inbound access). The status field indicates whether this operation had been successful, had been rejected, or had resulted in an error. The other various fields indicate the Internet Protocol (IP) addresses of the client and server, the ports involved, and the rules that applied to the traffic.
Analyzing UDP trafficIn the case of UDP traffic, the firewall log can display both the "bind" and the "udpMap" operations. These operations indicate that a mapping had been requested for that UDP traffic. (A UDP mapping is a virtual association of the datagram traffic. There is no actual connection in the case of UDP traffic).
The connection and session identification (ID) fields can help to distinguish between overlapping (interleaving) operations, if such operations exist. A single session ID can represent the traffic that has been sent on a virtual connection. Session IDs represent firewall client connections (the same ID equals [=] the same process). Or, in the case of secure network address translation (SecureNAT) clients, the same ID equals (=) the same client IP. Connection IDs represent "remote sockets." Same-connection ID means same-connection TCP or the same local port for UDP. As always, the status field has to be checked to verify if the operation had been enabled, rejected, or resulted in an error. As previously mentioned, the "bytes sent" and the "bytes received" fields indicate the amount and the direction of data that had been either sent or received during the connection.
To distinguish between the success and the failure of a UDP request, and the bytes sent in the transaction (if any), the relevant fields must be checked:
For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/283213/EN-US/ )Blocking and Logging Traffic on ISA Server Internal Interfaces