When you filter a Report, or choose the criteria for an Alert in TMG Reporter, you are presented with a list of fields that you can utilize. Here is the full field listing along with their descriptions, and sample values.
UserThe authenticated Username from TMG, aliased by the Display Name attribute in Active Directory. In the event that TMG Reporter cannot import usernames from AD, then this field displays the original logged username (usually in the form of Domain\Username) and can be filtered by entering the full username string. If TMG Reporter can connect to Active Directory, then you can simply choose from a pick list of users, and TMG Reporter will automatically link these users up to the relevant log data in TMG.
DepartmentThe authenticated Username from TMG aliased by the Department attribute in Active Directory. For users without the Department attribute populated, and for unauthenticated traffic, TMG Reporter will display 'Unknown' for the department.
CompanyA pick list of the Company attribute from Active Directory.
OfficeA pick list of the Office attribute from Active Directory (LDAP name is physicalDeliveryOfficeName)
SiteThe host portion of the URL field in the Forefront TMG log files. e.g. www.fastvue.co.
CategoryA picklist of URL Categories in the Forefront TMG log files. Requires URL Filtering to be enabled in Forefront TMG.
ProductivityThe URL Category field in the Forefront TMG log files, aliased by Productivity List as configured in Settings | Productivity. Possible values: Productive, Unproductive, Acceptable, Unacceptable. Requires URL Filtering to be enabled in Forefront TMG.
ApplicationThe Application field contains the values from the fwc-app-path field in Forefront TMG's Firewall logs files, plus the results of some Fastvue magic that extracts common browsers from the User Agent field. Possible browsers are Google Chrome, Mozilla Firefox, Internet Explorer, Apple Safari, and Opera. For everything else, if the user agent contains a left parentheses, the extracted Application will be everything before the parentheses, otherwise the extracted Application is the first 30 characters of the user agent.
User AgentThe name and version of the client application sent in the HTTP User-Agent header. When Forefront TMG is actively caching, this field is set to Forefront TMG.
ActionThe action performed by the Microsoft Firewall Service for the current session or connection. The possible values are Allowed, Denied, Failed, Bind, Listen, GHBN, GHBA, Redirect Bind, Establish, Terminate, Intermediate, Successful Connection, Unsuccessful Connection, Disconnection, User cleared Quarantine, Quarantine timeout, Not Logged.
RuleThe rule that either allowed or denied access to the request, as follows:
- If an outgoing request was allowed, this field indicates the access rule that allowed the request.
- If an outgoing request was denied by a policy rule, this field indicates the access rule that blocked the request.
- If an incoming request was denied by a policy rule, this field indicates the Web publishing or server publishing rule that denied the request.
- If Forefront TMG denied the connection for any reason other than a policy rule (for example due to an intrusion attempt or exceeding a flood resiliency threshold) this field contains a hyphen (-), and the Result Code field (bit 21) indicates the reason.
Threat NameWhen Forefront TMG discovers a threat, this field describes the name of the threat.
ProtocolThe application protocol used for the connection. Common values are HTTP, HTTPS, and FTP.
Source IPThe Source IP of the connection (e.g. 192.168.1.3)
Destination IPThe Destination IP of the connection (e.g. 184.108.40.206)
IPS Scan ResultThe result of NIS scanning of the traffic or the connection (inspected/detected/blocked)
IPS SignatureThe NIS signature detected that resulted in the traffic been blocked.
Malware Inspection ActionDescribes the action performed on the inspection content. Possible values are Allowed, Cleaned or Blocked.
Malware Inspection ResultDescribes the outcome of the malware inspection process. Possible values include:
- No Violation Detected
- Low and Medium Level Threats Not Blocked
- Infected File
- Suspicious File
- Encrypted File
- Maximum Archive Nesting Exceeded
- Maximum Size Exceeded
- Maximum Unpacked File Size Exceeded
- Unknown Encoding
- Corrupted File
- Time Out
- Storage Space Limit Exceeded
- Malware Inspection Disabled
- Malware Inspection Disabled for the Matching Policy Rule
- Malware Inspection Disabled for the Matching Web Chaining Rule
- Destination Included in Malware Inspection Exceptions List
- Response Originated from Proxy Server
- Request Served by Malware Inspection Web Filter
- Request/Response Pair Identified as Exempted Protocol Message
- Response Identified as a 200 Response to a CONNECT Request
- Response Scanned Before Being Routed by CARP (this is not relevant for Forefront TMG in the Essential Business Server scenario.
Malware Inspection Threat LevelShows the threat level. Possible values include Low, Medium, High, Severe.
Source PortThe port number on the source computer used for the connection.
Destination PortThe port number on the target server that provides service to the connection. E.g, if the target computer is providing a web service, the Destination Port will be 80 or 443.
Source NetworkThe network from which the request originated as defined in Forefront TMG's Network Objects.
Destination NetworkThe network for which the request was destined as defined in Forefront TMG's Network Objects.
Site * fieldsThere are a range of fields starting with Site. They all refer to certain sections of the URL field and best explained using an example URL: https://www.google.com.au/search?q=meerkat
URL with Queryhttps://www.google.com/search?q=meerkat
Record TypeEither Firewall or Web depending on the log files the record came from (Firewall or Web Proxy log)
Total BytesThe sum of sent and received bytes.
Received BytesAmount of data received by the Source
Sent BytesAmount of data sent by the Source.
RecordsNumber of log file records in the connection.
Session TimeTime of a browsing session. See How browsing time is calculated.
Browsing TimeSum of all the browsing session times. See How browsing time is calculated.
The next release of TMG Reporter (v3.0) will include the following additional fields:
New fields coming in TMG Reporter 3.0
Security GroupA pick list of Security Groups from Active Directory.
FilenameAlso taken from the URL field. For URL http://fastvue.co/images/TMGReporter.png, the file name field will contain TMGReporter.png. Useful to add to Alert Evidence tables, or in filters such as Filename 'Ends with' .png
Filename ExtensionThe file extension such as .png, .exe or .swf
Search TermsExtracts the keywords from a URL that contains common 'search' query strings such as q= or search= . For example, for https://www.google.com.au/search?q=meerkat, the Search Term is meerkat.
Mime TypeThe content type of the request as logged by Forefront TMG. For example: text\html, image\png
Referrer * FieldsThe range of referrer are built from the Referrer URL field. Just like the Site fields above, they include:
- Referrer Protocol
- Referrer Host
- Referrer Port
- Referrer Resource
- Referrer Query
- Referrer Domain
- Referrer Country
- Referrer URL
- Referrer with Query