Log Types: ISAWebLog

Overview

Microsoft Forefront Threat Management Gateway, formerly known as Microsoft Internet Security and Acceleration Server (ISA), is a network router, firewall, antivirus program, VPN server and web cache from Microsoft Corporation. It runs on Windows Server and works by inspecting all network traffic that passes through it.

The Web logs are generated web proxy component.

Collection

The Snare Epilog agent can collect and forward ISA / Forefront log data.

Sample Events

cbisa.myorg.gov ISAWebLog 3 10.0.0.46 anonymous Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; MSN Messenger6.1.0211) 2004-04-07 03:59:56 CBISA - 207.46.110.20 207.46.110.20 80 203 408 226 http POST http://207.46.110.20/gateway/gateway.dll?Action=poll&SessionID=210188894.30379 Inet 200 0x40000004
cbisa.myorg.gov ISAWebLog 3 10.0.0.46 2004-04-07 03:59:56 CBISA - 207.46.110.20 207.46.110.20 80 203 408 226 http POST http://207.46.110.20/gateway/gateway.dll?Action=poll&SessionID=210188894.30379 Inet 200 0x40000004
cbisa.myorg.gov ISAWebLog 3 10.0.0.46 07/02/2004 03:59:56 CBISA - 207.46.110.20 207.46.110.20 80 203 408 226 http POST http://207.46.110.20/gateway/gateway.dll?Action=poll&SessionID=210188894.30379 Inet 200 0x40000004
cbisa.myorg.gov ISAWebLog 3 10.0.0.46 anonymous Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; MSN Messenger6.1.0211) Y 2004-04-07 03:59:56 CBISA - t207.46.110.20 207.46.110.20 80 203 408 226 http POST http://207.46.110.20/gateway/gateway.dll?Action=poll&SessionID=210188894.30379 Inet 200 0x40000004
cbisa.myorg.gov ISAWebLog 3 10.0.0.46 anonymous Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; MSN Messenger6.1.0211) Y 2004-04-07 03:59:56 w3proxy CBISA - 207.46.110.20 207.46.110.20 80 203 408 226 http POST http://207.46.110.20/gateway/gateway.dll?Action=poll&SessionID=210188894.30379 Inet 200 0x40000004
cbisa.myorg.gov ISAWebLog 3 10.0.0.46 anonymous Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; MSN Messenger6.1.0211) Y 2004-04-07 03:59:56 w3proxy CBISA myReferredServer 207.46.110.20 207.46.110.20 80 203 408 226 http POST http://207.46.110.20/gateway/gateway.dll?Action=poll&SessionID=210188894.30379 Inet 200 0x40000004
cbisa.myorg.gov ISAWebLog 3 10.0.0.46 anonymous Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; MSN Messenger6.1.0211) Y 2004-04-07 03:59:56 w3proxy CBISA myReferredServer 207.46.110.20 207.46.110.20 80 203 408 226 http TCP POST http://207.46.110.20/gateway/gateway.dll?Action=poll&SessionID=210188894.30379 Inet 200 0x40000004
cbisa.myorg.gov ISAWebLog 3 10.0.0.46 anonymous Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; MSN Messenger6.1.0211) Y 2004-04-07 03:59:56 w3proxy CBISA myReferredServer 207.46.110.20 207.46.110.20 80 203 408 226 http TCP POST http://207.46.110.20/gateway/gateway.dll?Action=poll&SessionID=210188894.30379 text/html Inet 200 0x40000004
cbisa.myorg.gov ISAWebLog 3 - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; MSN Messenger6.1.0211) Y 2004-04-07 03:59:56 w3proxy CBISA myReferredServer 207.46.110.20 207.46.110.20 80 203 408 226 http TCP POST http://207.46.110.20/gateway/gateway.dll?Action=poll&SessionID=210188894.30379 text/html Inet 200 0x40000004

Fields

Field

Description

Field

Description

DATE

Event date, in the format YYYY-MM-DD

TIME

Event time, in the format HH:MM:SS

SYSTEM

The source system

TABLE

ISAFWSLog

HOSTNAME

The host making the request

USERNAME

The user name (if available)

URL

The Universal Resource Locator

RETURNCODE

 

BYTES

The number of bytes transferred

REFERRER

The referring URL

AGENT

Browser agent

PROTOCOL

GET, POST

LOGTYPE

proxysvr

CATEGORY

 

STRINGS

Any other content that does not fit into existing fields

Notes

-

Â