Archive for 12월, 2008
[ISA log보기] ISA2006 로그 필드정리
by wookie on 12.01, 2008, under 보안운영
현재 ISA2006을 VPN 서버로 사용중입니다만.. 최초 도입시 로그를 자세히 볼수있으리라는 기대가 있었으나 ISA2006의 리포트는 정말 많이 빈약합니다. 리포트로 알수있는것이 별로 없어서 결국은 쿼리분석기를 이용하여 DB를 직접 쿼리하여 분석하는것이 필요하더군요… MSDE가 DB엔진으로 사용되고 있는데 쿼리분석기로 열어보니 필드명이 무엇을 의미하는지 잘 모르겠더군요.. 그래서 찾아보았습니다.
아래 필드값을 참조하여 만들어 본 쿼리 샘플입니다. kim이란 문자가 포함된 아이디가 포함된 데이타들을 조회해보았습니다.
| select ClientUserName, logTime, SourceNetwork, SourceIP, SourcePort, DestinationNetwork, DestinationIP, DestinationPort, [rule], ApplicationProtocol, bytessent, bytesrecvd, GmtLogTime from firewalllog where clientusername like ‘%kim%’ |
▶ Firewall Log Field num Field name Description 0 servername The name of the ISA Server computer. This is the 1 logTime The date on which the logged event occurred. In the 2 logTime The local time when the logged event occurred. In the 3 protocol The transport protocol used for the connection. Common 4 SourceIP The IP address of the requesting client and the source SourcePort 5 DestinationIP The network IP address and the reserved port number on Destination Port 6 OriginalClientIP The original IP address of the requesting client. 7 SourceNetwork The network from which the request originated. 8 DestinationNetwork The network to which the request was sent. 9 Action The action performed by the Microsoft Firewall service 10 resultcode A Windows error code or an ISA Server error code in 11 rule The rule that either allowed or denied access to the If an outgoing request was allowed, this field reflects If an outgoing request was denied, this field reflects If an incoming request was denied, this field reflects If no rule specifically allowed the outgoing or 12 ApplicationProtocol The name of the application protocol used for the 13 Bidirectional A value from the FpcBidirection enumerated type that 14 bytessent The total number of bytes sent from the client to the 15 bytessentDelta The number of bytes sent from the client to the 16 bytesrecvd The total number of bytes sent from the remote computer 17 bytesrecvdDelta The number of bytes sent from the remote computer and 18 connectiontime The total time, in milliseconds, that was needed by ISA 19 connectiontimeDelta The time, in milliseconds, that has elapsed since the 20 SourceProxy Reserved for future use. 21 DestinationProxy Reserved for future use. 22 SourceName Reserved for future use. 23 DestinationName The domain name for the remote computer that provides 24 ClientUserName The account of the user making the request. A question 25 ClientAgent The name and version of the operating system that is 26 sessionid An identifier that identifies a session’s connections. 27 connectionid An identifier that identifies entries belonging to the 28 Interface The network adapter with which the connection was 29 IPHeader The IP header of the current packet. Information is val value String Description 0 NotLogged - No action was logged. 1 Bind - The Firewall service associated a local address with a 2 Listen - The Firewall service placed a socket in a state in 3 GHBN - Get host by name request. The Firewall service 4 GHBA - Get host by address request. The Firewall service 5 RedirectBind - The Firewall service enabled a connection using a local 6 Establish Initiated connection The Firewall service established a session. 7 Terminate Closed connection The Firewall service terminated a session. 8 Denied Denied connection The action requested was denied. 9 Allowed Allowed connection The action requested was allowed. 10 Failed Failed connection The action requested failed. 11 Intermediate - The action was intermediate. 12 SuccessfulConnection - The Firewall service was successful in establishing a 13 UnsuccessfulConnection - The Firewall service was unsuccessful in establishing a 14 Disconnect - The Firewall service closed a connection on a socket. 15 UserClearedQuarantine User cleared quarantine The Firewall service cleared a quarantined virtual 16 QuarantineTimeout Quarantine timeout The Firewall service disqualified a quarantined VPN
num Field name Description 0 ClientIP The IP address of the requesting client. 1 ClientUserName The user account making the request. A question mark 2 ClientAgent The name and version of the client application sent in 3 ClientAuthenticate Indicates whether the client has been authenticated 4 logTime The date on which the logged event occurred. In the 5 logTime The local time when the logged event occurred. In the 6 service The name of the service that is logged. For example, 7 servername The name of the ISA Server computer. 8 referredserver Reserved for future use. 9 DestHost The domain name for the remote computer that provides 10 DestHostIP The network IP address of the remote computer that 11 DestHostPort The reserved port number on the remote computer that 12 processingtime The total time, in milliseconds, that is needed by ISA 13 bytesrecvd The number of bytes sent from the remote computer and 14 bytessent The number of bytes sent from the client to the remote 15 protocol The application protocol used for the connection. 16 transport The transport protocol used for the connection. Common 17 operation The HTTP method used. Common values are GET, PUT, POST, 18 uri The URL requested. 19 mimetype The MIME type for the current object. This field may 20 objectsource The type of source that was used to retrieve the 21 resultcode A Windows (Win32) error code (for values less than 22 CacheInfo A number reflecting the cache status of the object, 23 rule The rule that either allowed or denied access to the If an outgoing request was allowed, this field If an outgoing request was denied by a policy rule, If an incoming request was denied by a policy rule, If ISA Server denied the connection for any reason 24 FilterInfo Information supplied by a Web filter. For example, if 25 SrcNetwork The network from which the request originated. 26 DstNetwork The network to which the request was sent. 27 ErrorInfo A 32-bit bitmask that provides additional information 28 Action The action performed by the Microsoft Firewall Service 29 GmtLogTime The date and time in Coordinated Universal Time (UTC)
computer name assigned in Microsoft Windows Server® 2003 or
Windows® 2000 Server.
MSDE format, both the date and the local time are included in the single
logTime field, and the bits for both the date and time fields must be set.
W3C extended file format and in ODBC-compliant Microsoft SQL Server™
databases, this time is in Coordinated Universal Time (UTC). In the MSDE
format, both the date and the local time are included in the single logTime
field, and the bits for both the date and time fields must be set.
values are TCP and UDP.
port used. In MSDE format, there are separate SourceIP and SourcePort fields
to allow individual querying. For ICMP packets, the additional field
indicates the ICMP type.
the remote computer that provides service to the current connection. The port
number is used by the client application initiating the request. In MSDE
format, there are separate DestinationIP and DestinationPort fields to allow
individual querying. For ICMP packets, the additional field indicates the
ICMP code.
for the current session or connection. The possible values are defined in the
FpcAction enumerated type.
HRESULT format.
request, as follows:
the access rule that allowed the request.
the access rule that blocked the request.
the Web publishing or server publishing rule that denied the request.
incoming request, the request is denied. In this case, the field is empty.
connection as defined in the collection of protocol definitions.
indicates whether the connection was bidirectional.
destination host during the current connection. A hyphen (-), a zero (0), or
a negative number in this field indicates that this information was not
provided by the destination host or that no bytes were sent to the
destination host.
destination host since the previous log entry for the current connection. A
hyphen (-), a zero (0), or a negative number in this field indicates that
this information was not provided by the destination host or that no bytes
were sent to the destination host.
and received by the client during the current connection. A hyphen (-), a
zero (0), or a negative number in this field indicates that this information
was not provided by the remote computer or that no bytes were received from
the remote computer.
received by the client since the previous log entry for the current
connection. A hyphen (-), a zero (0), or a negative number in this field
indicates that this information was not provided by the remote computer or
that no bytes were received from the remote computer.
Server to process the current connection. It measures the time elapsed from
the time when the ISA Server computer first received the request to the time
when final processing occurred on the ISA Server computer—when results were
returned to the client and the connection was closed.
previous log entry for the current connection.
service to the current connection.
mark (?) next to the user name indicates that the user name was sent but the
user was not authenticated by ISA Server. If ISA Server access control is not
being used, ISA Server uses Anonymous.
running on the Firewall client that created the session, as indicated by the
HTTP User-Agent header sent by the client’s browser application. This field
is not applicable to SecureNAT sessions. For the supported strings, see Web
Proxy and Firewall: Client Agent Log Values. A User-Agent header that is not
supported is regarded as an unknown operating system.
For Firewall clients, each process that connects through the Microsoft
Firewall service initiates a session. For SecureNAT clients, a single session
is opened for all the connections that originate from the same IP address.
same socket. Outbound TCP usually has two entries for each connection: when
the connection is established and when the connection is terminated. UDP
usually has two entries for each remote address.
established on the ISA Server computer.
supplied to this field only for packets that are denied passage and are
dropped by ISA Server.
socket.
which it listens for an incoming connection.
retrieved host information corresponding to a host name.
retrieved host information corresponding to a network address.
address associated with a socket.
connection to a socket.
connection to a socket.
private network (VPN) client.
client after the time-out period elapsed
(?) indicates that the user name was sent but the user was not authenticated
by ISA Server. If ISA Server access control is not being used, ISA Server
uses Anonymous.
the HTTP User-Agent header. When ISA Server is actively caching, this field
is set to ISA Server.
with the ISA Server computer. Possible values are Y and N.
MSDE format, both the date and the local time are included in the single
logTime field, and the bits for both the date and time fields must be set.
W3C extended file format and in ODBC-compliant SQL Server databases, this
time is in Coordinated Universal Time (UTC). In the MSDE format, both the
date and the local time are included in the single logTime field, and the
bits for both the date and time fields must be set.
fwsrv indicates the Microsoft Firewall service.
service to the current connection. A hyphen (-) in this field may indicate
that an object was retrieved from the local cache and not from the
destination.
provides service to the current connection. A hyphen (-) in this field may
indicate that an object was sourced from the local cache and not from the
destination. One exception is negative caching. In that case, this field
contains a destination IP address for which a negative cached object was
returned.
provides service to the current connection. This is used by the client
application initiating the request.
Server to process the current connection. It measures the time elapsed from
the time when the server first receives the request to the time when final
processing occurs on the server—when results are returned to the client and
the connection is closed. For cache requests that are processed through Web
Proxy Filter, the processing time measures the elapsed server time needed to
fully process a client request and return an object to the client.
received by the client during the current connection. A hyphen (-), a zero
(0), or a negative number in this field indicates that this information was
not provided by the remote computer or that no bytes were received from the
remote computer.
computer during the current connection. A hyphen (-), a zero (0), or a
negative number in this field indicates that this information was not
provided by the remote computer or that no bytes were sent to the remote
computer.
Common values are http for Hypertext Transfer Protocol, https for Secure
HTTP, and ftp for FTP.
values are TCP and UDP.
and HEAD.
also contain a hyphen (-) to indicate that this field is not used or that a
valid MIME type was not defined or supported by the remote computer.
current object. A table of some possible values is provided in Web Proxy:
Object Source Log Values.
100), an HTTP status code (for values between 100 and 1,000), a Winsock error
code (for values between 10,004 and 11,031), or an ISA Server error code. A
table of some possible values is provided in Web Proxy and Firewall: Result
Code Log Values.
which indicates the reasons why the object was or was not cached. The number
logged is the sum of the values for all the conditions that are met. A table
of the possible values is provided in Web Proxy: Cache Information Log
Values.
request, as follows:
indicates the access rule that allowed the request.
this field indicates the access rule that blocked the request.
this field indicates the Web publishing or server publishing rule that denied
the request.
other than a policy rule, this field contains a hyphen (-), and the Result
Code field (bit 21) indicates the reason.
HTTP Filter rejected a request, this field contains the reason for the
rejection.
about the request that can help identify the source of the error if an error
occurred. A table of the possible bit fields is provided in Web Proxy: Error
Information Log Values.
for the current session or connection. The possible values are defined in the
FpcAction enumerated type.
when the log entry was made (introduced in ISA Server Enterprise Edition).
