Proxy server log files

This is the computer name assigned in Windows Server The domain name for the remote computer that provides service to the current connection. A hyphen - in this field may indicate that an object was retrieved from the local cache and not from the destination. The network IP address of the remote computer that provides service to the current connection. A hyphen - in this field may indicate that an object was sourced from the local cache and not from the destination.

One exception is negative caching. In that case, this field contains a destination IP address for which a negative cached object was returned. The reserved port number on the remote computer that provides service to the current connection. This is used by the client application initiating the request. The total time, in milliseconds, that is needed by Forefront TMG to process the current connection. It measures the time elapsed from the time when the server first receives the request to the time when final processing occurs on the server—when results are returned to the client and the connection is closed.

The number of bytes sent from the remote computer and received by the client during the current connection. A hyphen - , a zero 0 , or a negative number in this field indicates that this information was not provided by the remote computer or that no bytes were received from the remote computer.

The number of bytes sent from the client to the remote computer during the current connection. A hyphen - , a zero 0 , or a negative number in this field indicates that this information was not provided by the remote computer or that no bytes were sent to the remote computer.

The application protocol used for the connection. Statistical data is displayed in diagrams and tables. It is also possible to print reports.

You're welcome to submit any questions, suggestions and comments about Proxy Log Explorer! Please let us know what you would like to see in the future versions here please. It's not a problem with the software, it's a problem with the Proxy logs.

You have allow annonymous logons checked in the Proxy MMC. Right click the Default Website, select properties then Directory Security. Click the Annonymous access edit button.

Remove the check mark for allow annonymous. If you don't check this the user will have to enter his PWD everytime he opens the Browser. You will have to stop and start the Default web before the changes will occur. Thanks Josh, that was a help, but I'm not ready to award the points quite yet. What you said worked, but I have a follow up question. Please log on to your proxy server and then try again" This makes perfect sense of course, but where is it that you peform this logon to the proxy server?

OK, so now I do have authenticated user names showing up in my report in place of IP addresses, and that is a big help and thanks for that tip, but my original question still remains unanswered.

Save my name, email, and website in this browser for the next time I comment. This site uses Akismet to reduce spam. Learn how your comment data is processed. Graphs made with cudeso posts stats. Mail image trap ». Proxy server logs for incident response When you do incident response having access to detailed logs is crucial.

Configuring proxy server logs for incident response Time synchronization If you try to reconstruct a timeline then correct timestamps are crucial. Log retention A lot of security incidents are detected long after the initial compromise took place. Proxy log settings Proxy server logs should track the below information for being useful during an investigation : Date and time HTTP protocol version HTTP request method Content type User agent HTTP referer Length of the content response Authenticated username of the client Client IP and source port Target host IP and destination port Target hostname DNS The requested resource HTTP status code of reply Time needed to provide the reply back to the client Proxy action from cache, not from cache, … Alerts on proxy server entries Besides being useful during an incident you can also raise alerts based on the content of the proxy server logs.

Length of the content response Track the length of the content response. Also, excessive content lengths should raise an alarm.