우키의 보안이야기

Archive for 12월, 2008

[ISA log보기] ISA2006 로그 필드정리

by wookie on 12.01, 2008, under 보안운영

  현재  ISA2006을 VPN 서버로 사용중입니다만..  최초 도입시 로그를 자세히 볼수있으리라는 기대가 있었으나  ISA2006의 리포트는 정말 많이 빈약합니다. 리포트로 알수있는것이 별로 없어서 결국은 쿼리분석기를 이용하여 DB를 직접 쿼리하여 분석하는것이 필요하더군요… MSDE가 DB엔진으로 사용되고 있는데  쿼리분석기로 열어보니 필드명이 무엇을 의미하는지 잘 모르겠더군요..  그래서 찾아보았습니다.

  아래 필드값을 참조하여 만들어 본 쿼리 샘플입니다. kim이란 문자가 포함된 아이디가 포함된 데이타들을 조회해보았습니다.

select
ClientUserName, logTime, SourceNetwork, SourceIP, SourcePort,
DestinationNetwork, DestinationIP, DestinationPort, [rule],
ApplicationProtocol, bytessent, bytesrecvd, GmtLogTime  from firewalllog where clientusername like
‘%kim%’

원문:  http://technet.microsoft.com/en-us/library/bb838824.aspx

▶ Firewall Log Field











num

Field name

Description

0

servername

The name of the ISA Server computer. This is the
computer name assigned in Microsoft Windows Server® 2003 or
Windows® 2000 Server.

  1

logTime

The date on which the logged event occurred. In the
MSDE format, both the date and the local time are included in the single
logTime field, and the bits for both the date and time fields must be set.

  2

logTime

The local time when the logged event occurred. In the
W3C extended file format and in ODBC-compliant Microsoft SQL Server™
databases, this time is in Coordinated Universal Time (UTC). In the MSDE
format, both the date and the local time are included in the single logTime
field, and the bits for both the date and time fields must be set.

  3

protocol

The transport protocol used for the connection. Common
values are TCP and UDP.

  4

SourceIP

The IP address of the requesting client and the source
port used. In MSDE format, there are separate SourceIP and SourcePort fields
to allow individual querying. For ICMP packets, the additional field
indicates the ICMP type.

SourcePort

  5

DestinationIP

The network IP address and the reserved port number on
the remote computer that provides service to the current connection. The port
number is used by the client application initiating the request. In MSDE
format, there are separate DestinationIP and DestinationPort fields to allow
individual querying. For ICMP packets, the additional field indicates the
ICMP code.

Destination Port

  6

OriginalClientIP

The original IP address of the requesting client.

  7

SourceNetwork

The network from which the request originated.

  8

DestinationNetwork

The network to which the request was sent.

  9

Action

The action performed by the Microsoft Firewall service
for the current session or connection. The possible values are defined in the
FpcAction enumerated type.

10

resultcode

A Windows error code or an ISA Server error code in
HRESULT format.

11

rule

The rule that either allowed or denied access to the
request, as follows:

If an outgoing request was allowed, this field reflects
the access rule that allowed the request.

If an outgoing request was denied, this field reflects
the access rule that blocked the request.

If an incoming request was denied, this field reflects
the Web publishing or server publishing rule that denied the request.

If no rule specifically allowed the outgoing or
incoming request, the request is denied. In this case, the field is empty.

12

ApplicationProtocol

The name of the application protocol used for the
connection as defined in the collection of protocol definitions.

13

Bidirectional

A value from the FpcBidirection enumerated type that
indicates whether the connection was bidirectional.

14

bytessent

The total number of bytes sent from the client to the
destination host during the current connection. A hyphen (-), a zero (0), or
a negative number in this field indicates that this information was not
provided by the destination host or that no bytes were sent to the
destination host.

15

bytessentDelta

The number of bytes sent from the client to the
destination host since the previous log entry for the current connection. A
hyphen (-), a zero (0), or a negative number in this field indicates that
this information was not provided by the destination host or that no bytes
were sent to the destination host.

16

bytesrecvd

The total number of bytes sent from the remote computer
and received by the client during the current connection. A hyphen (-), a
zero (0), or a negative number in this field indicates that this information
was not provided by the remote computer or that no bytes were received from
the remote computer.

17

bytesrecvdDelta

The number of bytes sent from the remote computer and
received by the client since the previous log entry for the current
connection. A hyphen (-), a zero (0), or a negative number in this field
indicates that this information was not provided by the remote computer or
that no bytes were received from the remote computer.

18

connectiontime

The total time, in milliseconds, that was needed by ISA
Server to process the current connection. It measures the time elapsed from
the time when the ISA Server computer first received the request to the time
when final processing occurred on the ISA Server computer—when results were
returned to the client and the connection was closed.

19

connectiontimeDelta

The time, in milliseconds, that has elapsed since the
previous log entry for the current connection.

20

SourceProxy

Reserved for future use.

21

DestinationProxy

Reserved for future use.

22

SourceName

Reserved for future use.

23

DestinationName

The domain name for the remote computer that provides
service to the current connection.

24

ClientUserName

The account of the user making the request. A question
mark (?) next to the user name indicates that the user name was sent but the
user was not authenticated by ISA Server. If ISA Server access control is not
being used, ISA Server uses Anonymous.

25

ClientAgent

The name and version of the operating system that is
running on the Firewall client that created the session, as indicated by the
HTTP User-Agent header sent by the client’s browser application. This field
is not applicable to SecureNAT sessions. For the supported strings, see Web
Proxy and Firewall: Client Agent Log Values. A User-Agent header that is not
supported is regarded as an unknown operating system.

26

sessionid

An identifier that identifies a session’s connections.
For Firewall clients, each process that connects through the Microsoft
Firewall service initiates a session. For SecureNAT clients, a single session
is opened for all the connections that originate from the same IP address.

27

connectionid

An identifier that identifies entries belonging to the
same socket. Outbound TCP usually has two entries for each connection: when
the connection is established and when the connection is terminated. UDP
usually has two entries for each remote address.

28

Interface

The network adapter with which the connection was
established on the ISA Server computer.

29

IPHeader

The IP header of the current packet. Information is
supplied to this field only for packets that are denied passage and are
dropped by ISA Server.


▶ Firewall Action Log value











val

value

String

Description

0

NotLogged

-

No action was logged.

1

Bind

-

The Firewall service associated a local address with a
socket.

2

Listen

-

The Firewall service placed a socket in a state in
which it listens for an incoming connection.

3

GHBN

-

Get host by name request. The Firewall service
retrieved host information corresponding to a host name.

4

GHBA

-

Get host by address request. The Firewall service
retrieved host information corresponding to a network address.

5

RedirectBind

-

The Firewall service enabled a connection using a local
address associated with a socket.

6

Establish

Initiated connection

The Firewall service established a session.

7

Terminate

Closed connection

The Firewall service terminated a session.

8

Denied

Denied connection

The action requested was denied.

9

Allowed

Allowed connection

The action requested was allowed.

10

Failed

Failed connection

The action requested failed.

11

Intermediate

-

The action was intermediate.

12

SuccessfulConnection

-

The Firewall service was successful in establishing a
connection to a socket.

13

UnsuccessfulConnection

-

The Firewall service was unsuccessful in establishing a
connection to a socket.

14

Disconnect

-

The Firewall service closed a connection on a socket.

15

UserClearedQuarantine

User cleared quarantine

The Firewall service cleared a quarantined virtual
private network (VPN) client.

16

QuarantineTimeout

Quarantine timeout

The Firewall service disqualified a quarantined VPN
client after the time-out period elapsed

양식의 아래



WebProxy Log Field











num

Field name

Description

0

ClientIP

The IP address of the requesting client.

1

ClientUserName

The user account making the request. A question mark
(?) indicates that the user name was sent but the user was not authenticated
by ISA Server. If ISA Server access control is not being used, ISA Server
uses Anonymous.

2

ClientAgent

The name and version of the client application sent in
the HTTP User-Agent header. When ISA Server is actively caching, this field
is set to ISA Server.

 3

ClientAuthenticate

Indicates whether the client has been authenticated
with the ISA Server computer. Possible values are Y and N.

  4

logTime

The date on which the logged event occurred. In the
MSDE format, both the date and the local time are included in the single
logTime field, and the bits for both the date and time fields must be set.

  5

logTime

The local time when the logged event occurred. In the
W3C extended file format and in ODBC-compliant SQL Server databases, this
time is in Coordinated Universal Time (UTC). In the MSDE format, both the
date and the local time are included in the single logTime field, and the
bits for both the date and time fields must be set.

  6

service

The name of the service that is logged. For example,
fwsrv indicates the Microsoft Firewall service.

  7

servername

The name of the ISA Server computer.

  8

referredserver

Reserved for future use.

  9

DestHost

The domain name for the remote computer that provides
service to the current connection. A hyphen (-) in this field may indicate
that an object was retrieved from the local cache and not from the
destination.

10

DestHostIP

The network IP address of the remote computer that
provides service to the current connection. A hyphen (-) in this field may
indicate that an object was sourced from the local cache and not from the
destination. One exception is negative caching. In that case, this field
contains a destination IP address for which a negative cached object was
returned.

11

DestHostPort

The reserved port number on the remote computer that
provides service to the current connection. This is used by the client
application initiating the request.

12

processingtime

The total time, in milliseconds, that is needed by ISA
Server to process the current connection. It measures the time elapsed from
the time when the server first receives the request to the time when final
processing occurs on the server—when results are returned to the client and
the connection is closed. For cache requests that are processed through Web
Proxy Filter, the processing time measures the elapsed server time needed to
fully process a client request and return an object to the client.

13

bytesrecvd

The number of bytes sent from the remote computer and
received by the client during the current connection. A hyphen (-), a zero
(0), or a negative number in this field indicates that this information was
not provided by the remote computer or that no bytes were received from the
remote computer.

14

bytessent

The number of bytes sent from the client to the remote
computer during the current connection. A hyphen (-), a zero (0), or a
negative number in this field indicates that this information was not
provided by the remote computer or that no bytes were sent to the remote
computer.

15

protocol

The application protocol used for the connection.
Common values are http for Hypertext Transfer Protocol, https for Secure
HTTP, and ftp for FTP.

16

transport

The transport protocol used for the connection. Common
values are TCP and UDP.

17

operation

The HTTP method used. Common values are GET, PUT, POST,
and HEAD.

18

uri

The URL requested.

19

mimetype

The MIME type for the current object. This field may
also contain a hyphen (-) to indicate that this field is not used or that a
valid MIME type was not defined or supported by the remote computer.

20

objectsource

The type of source that was used to retrieve the
current object. A table of some possible values is provided in Web Proxy:
Object Source Log Values.

21

resultcode

A Windows (Win32) error code (for values less than
100), an HTTP status code (for values between 100 and 1,000), a Winsock error
code (for values between 10,004 and 11,031), or an ISA Server error code. A
table of some possible values is provided in Web Proxy and Firewall: Result
Code Log Values.

22

CacheInfo

A number reflecting the cache status of the object,
which indicates the reasons why the object was or was not cached. The number
logged is the sum of the values for all the conditions that are met. A table
of the possible values is provided in Web Proxy: Cache Information Log
Values.

23

rule

The rule that either allowed or denied access to the
request, as follows:

If an outgoing request was allowed, this field
indicates the access rule that allowed the request.

If an outgoing request was denied by a policy rule,
this field indicates the access rule that blocked the request.

If an incoming request was denied by a policy rule,
this field indicates the Web publishing or server publishing rule that denied
the request.

If ISA Server denied the connection for any reason
other than a policy rule, this field contains a hyphen (-), and the Result
Code field (bit 21) indicates the reason.

24

FilterInfo

Information supplied by a Web filter. For example, if
HTTP Filter rejected a request, this field contains the reason for the
rejection.

25

SrcNetwork

The network from which the request originated.

26

DstNetwork

The network to which the request was sent.

27

ErrorInfo

A 32-bit bitmask that provides additional information
about the request that can help identify the source of the error if an error
occurred. A table of the possible bit fields is provided in Web Proxy: Error
Information Log Values.

28

Action

The action performed by the Microsoft Firewall Service
for the current session or connection. The possible values are defined in the
FpcAction enumerated type.

29

GmtLogTime

The date and time in Coordinated Universal Time (UTC)
when the log entry was made (introduced in ISA Server Enterprise Edition).

양식의 아래


View Comments more...

Get Adobe Flash playerPlugin by wpburn.com wordpress themes

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!