Log Types: ISAWebLog
Overview
Microsoft Forefront Threat Management Gateway, formerly known as Microsoft Internet Security and Acceleration Server (ISA), is a network router, firewall, antivirus program, VPN server and web cache from Microsoft Corporation. It runs on Windows Server and works by inspecting all network traffic that passes through it.
The Web logs are generated web proxy component.
Collection
The Snare Epilog agent can collect and forward ISA / Forefront log data.
Sample Events
cbisa.myorg.gov ISAWebLog 3 10.0.0.46 anonymous Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; MSN Messenger6.1.0211) 2004-04-07 03:59:56 CBISA - 207.46.110.20 207.46.110.20 80 203 408 226 http POST http://207.46.110.20/gateway/gateway.dll?Action=poll&SessionID=210188894.30379 Inet 200 0x40000004
cbisa.myorg.gov ISAWebLog 3 10.0.0.46 2004-04-07 03:59:56 CBISA - 207.46.110.20 207.46.110.20 80 203 408 226 http POST http://207.46.110.20/gateway/gateway.dll?Action=poll&SessionID=210188894.30379 Inet 200 0x40000004
cbisa.myorg.gov ISAWebLog 3 10.0.0.46 07/02/2004 03:59:56 CBISA - 207.46.110.20 207.46.110.20 80 203 408 226 http POST http://207.46.110.20/gateway/gateway.dll?Action=poll&SessionID=210188894.30379 Inet 200 0x40000004
cbisa.myorg.gov ISAWebLog 3 10.0.0.46 anonymous Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; MSN Messenger6.1.0211) Y 2004-04-07 03:59:56 CBISA - t207.46.110.20 207.46.110.20 80 203 408 226 http POST http://207.46.110.20/gateway/gateway.dll?Action=poll&SessionID=210188894.30379 Inet 200 0x40000004
cbisa.myorg.gov ISAWebLog 3 10.0.0.46 anonymous Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; MSN Messenger6.1.0211) Y 2004-04-07 03:59:56 w3proxy CBISA - 207.46.110.20 207.46.110.20 80 203 408 226 http POST http://207.46.110.20/gateway/gateway.dll?Action=poll&SessionID=210188894.30379 Inet 200 0x40000004
cbisa.myorg.gov ISAWebLog 3 10.0.0.46 anonymous Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; MSN Messenger6.1.0211) Y 2004-04-07 03:59:56 w3proxy CBISA myReferredServer 207.46.110.20 207.46.110.20 80 203 408 226 http POST http://207.46.110.20/gateway/gateway.dll?Action=poll&SessionID=210188894.30379 Inet 200 0x40000004
cbisa.myorg.gov ISAWebLog 3 10.0.0.46 anonymous Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; MSN Messenger6.1.0211) Y 2004-04-07 03:59:56 w3proxy CBISA myReferredServer 207.46.110.20 207.46.110.20 80 203 408 226 http TCP POST http://207.46.110.20/gateway/gateway.dll?Action=poll&SessionID=210188894.30379 Inet 200 0x40000004
cbisa.myorg.gov ISAWebLog 3 10.0.0.46 anonymous Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; MSN Messenger6.1.0211) Y 2004-04-07 03:59:56 w3proxy CBISA myReferredServer 207.46.110.20 207.46.110.20 80 203 408 226 http TCP POST http://207.46.110.20/gateway/gateway.dll?Action=poll&SessionID=210188894.30379 text/html Inet 200 0x40000004
cbisa.myorg.gov ISAWebLog 3 - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; MSN Messenger6.1.0211) Y 2004-04-07 03:59:56 w3proxy CBISA myReferredServer 207.46.110.20 207.46.110.20 80 203 408 226 http TCP POST http://207.46.110.20/gateway/gateway.dll?Action=poll&SessionID=210188894.30379 text/html Inet 200 0x40000004
Fields
Field | Description |
---|---|
DATE | Event date, in the format YYYY-MM-DD |
TIME | Event time, in the format HH:MM:SS |
SYSTEM | The source system |
TABLE | ISAFWSLog |
HOSTNAME | The host making the request |
USERNAME | The user name (if available) |
URL | The Universal Resource Locator |
RETURNCODE | Â |
BYTES | The number of bytes transferred |
REFERRER | The referring URL |
AGENT | Browser agent |
PROTOCOL | GET, POST |
LOGTYPE | proxysvr |
CATEGORY | Â |
STRINGS | Any other content that does not fit into existing fields |
Notes
-
Â