fields.txt

公司内部监控员工上网记录的系统

Firewall and Web Proxy log fields
You can use the Microsoft Internet Security and Acceleration (ISA) Server log to monitor and analyze the status of the Firewall and Web Proxy services.

The table below lists the fields that you can include in each of the ISA Server log files. For configuration instructions, see Specify fields to log. The field name noted in parentheses is relevant when you use the World Wide Web Consortium (W3C) extended log file format.

Some fields are relevant for either Web Proxy Service or Firewall Service, but not both. In this case, the table indicates which service the field applies to. Note that, in ISA Server log format, the field will appear in the log with a hyphen (-). In W3C log file format, the field will not appear at all, if it is not applicable to the service.

Field position Descriptive name (field name) Description 
1 Client IP 
(c-ip) The Internet Protocol (IP) address of the requesting client. 
2 Client user name 
(cs-username) Account of the user making the request. If ISA Server Access Control is not being used, ISA Server uses anonymous. 
3 Client agent 
(c-agent) The client application type sent by the client in the Hypertext Transfer Protocol (HTTP) header. When ISA Server is actively caching, the client agent is ISA Server.
For Firewall service, this field includes information about the client's operating system. Click here to see a table of possible values. 
4 Authentication status 
(sc-authenticated) Indicates whether or not client has been authenticated with ISA Server. Possible values are Y and N. 
5 Date 
(date) The date that the logged event occurred. 
6 Time 
(time) The time that the logged event occurred. In W3C format, this is in Greenwich mean time. 
7 Service name 
(s-svcname) The name of the service that is logged. 
w3proxy indicates outgoing Web requests to the Web Proxy service. 
fwsrv indicates Firewall service. 
w3reverseproxy indicates incoming Web requests to the Web Proxy service. 
 
8 Proxy name 
(s-computername) The name of the computer running ISA Server. This is the computer name that is assigned in Windows 2000. 
9 Referring server name 
(cs-referred) If ISA Server is used upstream in a chained configuration, this indicates the server name of the downstream server that sent the request. 
10 Destination name 
(r-host) The domain name for the remote computer that provides service to the current connection. For the Web Proxy service, a hyphen (-) in this field may indicate that an object was retrieved from the Web Proxy server cache and not from the destination. 
11 Destination IP 
(r-ip) The network IP address for the remote computer that provides service to the current connection. For the Web Proxy service, a hyphen (-) in this field may indicate that an object was sourced from the Web Proxy server cache and not from the destination. One exception is negative caching. In that case, this field indicates a destination IP address for which a negative-cached object was returned. 
12 Destination port 
(r-port) The reserved port number on the remote computer that provides service to the current connection. This is used by the client application initiating the request. 
13 Processing time 
(time-taken) This indicates the total time, in milliseconds, that is needed by ISA Server to process the current connection. It measures elapsed server time from the time that the server first received the request to the time when final processing occurred on the server—when results were returned to the client and the connection was closed. 
For cache requests that were processed through the Web Proxy service, processing time measures the elapsed server time needed to fully process a client request and return an object from the server cache to the client.
 
14 Bytes sent 
(cs-bytes) The number of bytes sent from the internal client to the external server during the current connection. A hyphen (-), a zero (0), or a negative number in this field indicates that this information was not provided by the remote computer or that no bytes were sent to the remote computer. 
15 Bytes received 
(sc-bytes) The number of bytes sent from the external computer and received by the client during the current connection. A hyphen (-), a zero (0), or a negative number in this field indicates that this information was not provided by the remote computer or that no bytes were received from the external computer. 
16 Protocol name 
(cs-protocol) Specifies the application protocol used for the connection. Common values are HTTP, File Transfer Protocol (FTP), Gopher, and Secure Hypertext Transfer Protocol (HTTPS).
For Firewall service, the port number is also logged. 
17 Transport 
(cs-transport) Specifies the transport protocol used for the connection. Common values are Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). 
18 Operation 
(s-operation) Specifies the application method used. For Web Proxy, common values are GET, PUT, POST, and HEAD.
For Firewall service, common values are CONNECT, BIND, SEND, RECEIVE, GHBN (GetHostByName), and GHBA (GetHostByAddress). 
19 Object name 
(cs-uri) For the Web Proxy service, this field shows the contents of the URL request. This field applies only to the Web Proxy service log. 
20 Object MIME 
(cs-mime-type) The Multipurpose Internet Mail Extensions (MIME) type for the current object. This field may also contain a hyphen (-) to indicate that this field is not used or that a valid MIME type was not defined or supported by the remote computer. This field applies only to the Web Proxy service log. 
21 Object source 
(s-object-source) Indicates the source that was used to retrieve the current object. This field applies only to the Web Proxy service log. Click here to see a table of some possible values.  
22 Result code 
(sc-status) This field can be used to indicate:

For values less than 100, a Windows (Win32) error code 
For values between 100 and 1,000, an HTTP status code 
For values between 10,000 and 11,004, a Winsock error code 
Click here to see a table of some possible values.  
23 Cache info 
(s-cache-info) This number reflects the cache status of the object, which indicates why the object was or was not cached. This field applies only to the Web Proxy service log. Click here to see a table of some possible values. 
24 Rule #1 
(rule#1) This reflects the rule that either allowed or denied access to the request, as follows: 
If an outgoing request is allowed, this field reflects the protocol rule that allowed the request. 
If an outgoing request is denied by a protocol rule, this field reflects the protocol rule. 
If an outgoing request is denied by a site and content rule, this field reflects the protocol rule that would have allowed the request. 
If an incoming request was denied, this field reflects the Web publishing or server publishing rule that denied the request. 
If no rule specifically allowed the outgoing or incoming request, the request is denied. In this case, the field is empty. 
 
25 Rule #2 
(rule#2) This reflects the second rule that either allowed or denied access to the request. 
If an outgoing request is allowed, this field reflects the site and content rule that allowed the request. 
If an outgoing request is denied by a site and content rule, this field reflects the site and content rule that denied the request. 
If no rule specifically allowed the outgoing or incoming request, the request is denied. In this case, the field is empty. 
 
26 Session ID 
(sessionid) This identifies a session's connections. For Firewall clients, each process that connects through the Firewall service initiates a session. For secure network address translation (SecureNAT) clients, a single session is opened for all the connections that originate from the same IP address. This field is not included in the Web Proxy service log. This field applies only to the Firewall service log. 
27 Connection ID 
(connectionid) This identifies entries that belong to the same socket. Outbound TCP usually has two entries for each connection: when the connection is established and when the connection is terminated. UDP usually has two entries for each remote address. This field is not included in the Web Proxy service log. This field applies only to the Firewall service log. 

Object source values
Source values Description 
0 No source information is available. 
Cache Source is the cache. Object returned from cache. 
Inet Source is the Internet. Object added to cache. 
Member Returned from another array member. 
NotModified Source is the cache. Client performed an If-Modified-Since request and object had not been modified. 
NVCache Source is the cache. Object could not be verified to source. 
Upstream Object returned from an upstream proxy cache. 
Vcache Source is the cache. Object was verified to source and had not been modified. 
VFInet Source is the Internet. Cached object was verified to source and had been modified. 

Click here to return to ISA Server log file fields.

Result code values
Value Description 
200 OK - Successful connection 
201 Created 
202 Accepted 
204 No content 
301 Moved permanently 
302 Moved temporarily 
304 Not modified 
400 Bad request 
401 Unauthorized 
403 Forbidden 
404 Not found 
500 Internal server error 
501 Not implemented 
502 Bad gateway 
503 Service unavailable 
10060 Connection timed out 
10061 Connection refused by destination 
10065 Host unreachable 
11001 Host not found 

Click here to return to ISA Server log file fields.

Cache info values
Value Description 
0x00000001 Request should not be served from the cache 
0x00000002 Request includes the IF-MODIFIED-SINCE header 
0x00000004 Request includes one of these headers: CACHE-CONTROL:NO-CACHE or PRAGMA:NO-CACHE 
0x00000008 Request includes the AUTHORIZATION header 
0x00000010 Request includes the VIA header 
0x00000020 Request includes the IF-MATCH header 
0x00000040 Request includes the RANGE header 
0x00000080 Request includes the CACHE-CONTROL: NO-STORE header 
0x00000100 Request includes the CACHE-CONTROL: MAX-AGE, or CACHE-CONTROL: MAX-STALE or CACHE-CONTROL: MIN-FRESH header 
0x00000200 Cache could not be updated. 
0x00000400 IF-MODIFIED-SINCE time specified in the request is newer than cached LASTMODIFIED time 
0x00000800 Request includes the CACHE-CONTROL: ONLY-IF-CACHED header 
0x00001000 Request includes the IF-NONE-MATCH header 
0x00002000 Request includes the IF-UNMODIFIED-SINCE header 
0x00004000 Request includes the IF-RANGE header 
0x00008000 More than one VARY header 
0x00010000 Response includes the CACHE-CONTROL: PUBLIC header 
0x00020000 Response includes the CACHE-CONTROL: PRIVATE header 
0x00040000 Response includes the CACHE-CONTROL: NO-CACHE or PRAGMA: NO-CACHE header 
 
0x00080000 Response includes the CACHE-CONTROL: NO-STORE header 
0x00100000 Response includes either the CACHE-CONTROL: MUST-REVALIDATE or CACHE-CONTROL: PROXY-REVALIDATE header 
0x00200000 Response includes the CACHE-CONTROL: MAX-AGE or S-MAXAGE header 
0x00400000 Response includes the VARY header 
0x00800000 Response includes the LAST-MODIFIED header 
0x01000000 Response includes the EXPIRES header 
0x02000000 Response includes the SET-COOKIE header 
0x04000000 Response includes the WWW-AUTHENTICATE header 
0x08000000 Response includes the VIA header 
0x10000000 Response includes the AGE header 
0x20000000 Response includes the TRANSFER-ENCODING header 
0x40000000 Response should not be cached. 

Click here to return to ISA Server log file fields.

Operating system values
Value Description 
0:3.95 Windows 95 (16-bit) 
2:4.10 Windows 98 (32-bit) 
2:4.0 Windows 95 (32-bit) 
3:4.0 Windows NT 4.0 
3:5.0  Windows 2000 

Click here to return to Client agent.