There are two primary methods to monitor the activity of Microsoft Proxy Server. The first and more common is activity logging, which can be done through standard comma delimited text files, or to a qualified database through ODBC drivers (Open DataBase Connectivity). The second method, and one which will be available to a small minority of network administrators, is monitoring through SNMP (Simple Network Management Protocol). SNMP is a protocol service that can be installed in Windows NT. The purpose of SNMP is to serve out monitoring and sometimes controlling data to a remote workstation(s) so that services running on an NT server can be monitored and controlled from an outside location.
Utilizing SNMP requires client software on the workstation monitoring the SNMP data stream. Several companies make SNMP software, but it's normally pretty expensive stuff. This chapter doesn't delve too deeply into the realm of SNMP. It's primary focus is to explain the structure of the Microsoft Proxy Server logs and also explain the principles of how to connect Microsoft Proxy Server to a database server engine so that log information can be saved to a database file via ODBC.
Microsoft Proxy Server can log information to a text file or to a database through ODBC drivers to engines, such as an Access Server or an SQL Server. Logging to a text file is a very simple process and will give a network administrator a quick way of seeing what transactions have transpired through both Microsoft Proxy Server components (the Web Proxy and the WinSock Proxy). The logs (in either text format or database format) can then be used to generate reports of daily, weekly, or monthly activity.
By default, Microsoft Proxy Server is configured to log all transaction information to text file logs. The default location of these files will be:
Normally, a new log file is created automatically every day, although this can be changed to weekly or monthly. A new log file can also be created when the current log file reaches a specific size.
In the Properties sheets of both the Web Proxy and WinSock Proxy services, there is a Logging tab. This tab is identical for both services (except for log file location values) and controls all logging settings for each server. Figure 13.1 shows the Logging tab of the Web Proxy.
Chapter 6, "Configuring Proxy Server," covers in detail all of the settings found on this tab. To ensure that logging is enabled for both proxy servers, make sure the Enable Logging check box is checked on both Logging tabs.
When a log file is created, its name is based on the current date. For example, a log file created on December 5, 1996 would have the file name: w3961205.log. Log files can be in one of two formats: regular and verbose. Regular logs are shorter format logs that do not contain all available data elements, and verbose logs contain a complete set of all available log data. Figure 13.2 shows a sample of a regular log file generated by the WinSock Proxy. The format of the logs files created by both proxy servers is identical.
Figure 13.3 shows a sample of a verbose log file.
I have purposefully tried to access the same sequence of sites in both log files so you can see a side by side comparison (well, as close as possible since I did the first log file sample just before midnight and the second sample just past midnight).
As you can tell, each line of the log file is one record. Fields within the record are separated by commas. In the regular log file sample, the sequence of fields within a record is still the same; however, because a regular log is a reduced version of the verbose log, some of the fields are simply represented by a dash ( - ). This helps to cut down the size of the log files in busy proxy conditions. If you are the administrator for a network of 100 or more proxy users, you might find that daily logs files exceed 10 megs, depending on the amount of traffic that passes through the proxies.
In order to understand the contents of the log file, the following is a definition of each field in the same order you will find in the log files themselves. Remember that log files from the Web Proxy and the WinSock Proxy are identical in format, and regular logs will not omit any data fields, just replace some information with a dash.
Figure 13.4 shows a more complicated log file example.
Operating System Logged Code
0:3.1 Windows 3.1
0:3.11 Windows for Workgroups
0:3.95 Windows 95 (connection made by a 16-bit client application.)
1:3.11 Windows for Workgroups (connection by a client using the Win32s extensions.)
2:4.0 Windows 95 (connection made by a 32-bit client.)
3:3.51 Windows NT 3.51
3:4.0 Windows NT 4.0
A full example of the field value of this data bit logged by the Web Proxy might be might be: Mozilla/2.0 (compatible; MSIE 3.0; Windows 95). A full example of the field value of this data bit logged by the WinSock Proxy might be: WS_FTP32.EXE:2:4.0. The exact value of this field when logged by the Web Proxy will vary according to the header information sent to the Web Proxy by the client application making the proxy connection.
MIME Type Definition
application/x-msdownload Application
image/gif GIF Image
image/jpeg JPG Image
multipart/x-zip ZIP Archive
text/plain ASCII Text File
Field Value Definition
Unknown Proxy Server could not determine where the object originated.
Cache Object found in cache.
Rcache Object found on Internet. Objects was added to cache.
Vcache Object found in cache. Object was verified against target object on Internet.
NVCache Object found in cache but could not be verified against target object on Internet. Object was still returned to client.
VFInet Object found on Internet. Object could not be verifed against source.
PragNoCacheInet Object found on Internet. HTTP header indicates that the object should not be cached.
Inet Object found on Internet. Object was not added to the cache.
Code Definition
0 Successful Connection
1 Server Failure
2 Rejection by Proxy due to filtering
3 Network unreachable due to no DNS service available.
4 Host unreachable because no DNS entry could be found for the host.
5 Connection refused by target Internet site.
6 Unsupported client request (perhaps the client is using a non-compliant TCP/IP stack or the WinSock call is from a non-supported version.
7 Unsupported Address type.
When regular logging is selected, some fields will simply be represented with a dash. Verbose logging will log all known data to all the previously listed fields. Regular logging will log only the following fields:
Reading the logs can sometimes be very confusing because it appears that the proxies sometimes do not log the correct information. The important thing to remember is to keep the order of the fields right, and pretty soon you'll be able to understand them correctly.
Because the Web proxy runs as a sub-service of the WWW Server, you can turn off all WWW logging and let the Web Proxy log all connection information. Enabling the WWW log is a redundant action that will only eat up disk space.
Speaking of disk space, keep in mind that log files can grow to a very large size when there are many people accessing Microsoft Proxy Server. This is due to the fact that each object returned from the Internet or cache generates a record. Web pages can contain five, ten, or more objects. Every time such pages are accessed, a large number of log records are created. To make matters worse, some clients will issue the same command over and over again when they receive an error retrieving requested data. This can make the log files huge. It's an excellent idea to only keep a few days worth of logs active and archive the remaining ones you want to keep. If the log disk becomes full, Microsoft Proxy Server may stop operating.
Keeping a log will make sure that you as network administrator are maintaining a high security environment for your company. Without logging, your network users may be bogging down Internet access, and you'll have no way of knowing who or what is causing the problem.
If you have access to a database engine such as SQL Server or Access, you can use ODBC drivers to let Microsoft Proxy Server interface with these engines to log the same information that will be logged to text files. The benefit of logging to a database is that the data is already in an easily manipulated form and is often stored in a more compact manner.
When Microsoft Proxy Server is installed, it will prompt you to install ODBC drivers. The ODBC drivers for interfacing with SQL and Access are provided with Microsoft Proxy Server. If ODBC drivers are already installed on your NT server for some other purpose, you will not need to re-install them. ODBC drivers operate in a universal manner, and as such are not specific to any certain piece of software (except for the database they are designed to Interface with). ODBC was designed to be a generic interface method that applications could use to open a database to write or retrieve data without having to know the specifics of the database engine or format of the data files themselves. Applications make generic calls to the ODBC driver, and the ODBC driver knows how to perform the requested action with the database engine.
The first thing to do if you are planning on using a database to log Microsoft
Proxy Server information is to prepare a database file to hold the data. This is
done through the database itself. This should be a fairly straightforward one of
creating the file with the required fields of sufficient length to hold any possible
data. The following table details the exact field names and types Microsoft Proxy
Servers needs in a table or database to correctly log information.
| Table 13.1. Microsoft Proxy Server field names and types. | |||
| Field Name | SQL Data Type | Access Data Type | Length |
| ClientIP | varchar | text | 50 |
| clientUserName | varchar | text | 50 |
| ClientAgent | varchar | text | 100 |
| clientAuthenticate | char | text | 5 |
| LogTime | datetime | datetime | n/a |
| Service | varchar | text | 25 |
| ServerName | varchar | text | 50 |
| ReferredServer | varchar | text | 100 |
| DestHost | varchar | text | 255 |
| DestHostIP | varchar | text | 50 |
| DestHostPort | int | Long Integer | n/a |
| ProcessingTime | int | Long Integer | n/a |
| BytesSent | int | Long Integer | n/a |
| BytesRecv | int | Long Integer | n/a |
| Protocol | varchar | text | 25 |
| Transport | varchar | text | 25 |
| Operation | varchar | text | 255 |
| URI | varchar | text | 255 |
| MIMEType | varchar | text | 25 |
| ObjectSource | varchar | text | 25 |
| ResultCode | int | LongInteger | n/a |
Once the table is constructed, the logging tab of the both proxy properties can be used to configure the proxies to log in to the correct database engine and pass log information. Chapter 6 covers setting up the logging tab in greater detail.
DSN stands for Data Source Name. It is a naming convention used by ODBC drivers 2.5 and above. When applications make DSN calls to an ODBC driver, those calls will include vital information such as the standard name of the ODBC driver being called, the name of the database to open, and the target server to contact. Without DSN, ODBC drivers will be unable to correctly open the target database and begin logging information. A database can be assigned a Data Source Name, and it is by this name that Microsoft Proxy Server will reference the target database. Make sure that the DSN you give to an SQL or Access database matches the DSN name you indicate on the logging tab of the proxy properties.
DSN is primarily configured through the ODBC Control Applet in the Windows NT Control Panel. Refer to the online help in that applet when configuring DSN for a particular database/engine.
Microsoft Proxy Server uses other logs for its own internal data. When Microsoft Proxy Server is installed, it logs its setup information to c:\mspsetup.log. This is a text log you can reference if setup did not go correctly.
When the WinSock Proxy client software is installed on workstations, it will create a log file called c:\mpcsetup.log. This log can be used to help track down installation problems workstations might be having with the WinSock Proxy client software.
The Windows Event Viewer found in the Administrative Tools folder is the best
way of tracking down operational problems with Microsoft Proxy Server. Any application
error Microsoft Proxy Server may be encountering will be logged through the Event
Log. Each event related to Microsoft Proxy Server will be tagged with on of the following
source names:
Event Source Name Definition
WebProxyServer Web Proxy Server generated
WebProxyLog Web Proxy logger generated
WebProxyCache Web Proxy cache generated
WinSockProxy WinSock Proxy Server generated
WinSockProxyLog WinSock Proxy Server logger generated
MSProxyAdmin Microsoft Proxy Server Administrative interface generated
SNMP is a communication protocol designed to allow remote control of a server or server application from an external workstation (or other NT server). In order for SNMP to work, the SNMP protocol must be installed on the server with the application that is to be remotely controlled, and any controlling server or workstation must have the SNMP protocol installed as well as SNMP client software. SNMP client software isn't cheap, nor is it simple to understand.
Most server applications that can be remotely controlled or monitored through the SNMP protocol will come with MIBs or Management Information Base files. MIBs are information files that tell SNMP client software how to interface with the server application they are designed for. SNMP client software will compile MIB files into part of their own code so they will understand how the target server application operates.
The Microsoft Proxy Server MIBs are not installed when Microsoft Proxy Server is installed. If you purchased Microsoft Proxy Server and have an installation CD, the MIBs can be found in the \Alpha\Perfctrs, \I386\Perfctrs, \Mips\Perfctrs, and Ppc\Perfctrs directories (for the four-system architectures that NT supports). The MIB for the Web Proxy service is w3p.mib. The MIB for the WinSock Proxy service is wsp.mib.
Compilation and usage instructions for SNMP control and monitoring is beyond the scope of this book. If you are interested in learning how to use the SNMP protocol and SNMP client software, you may have a hard time finding any demo or shareware clients. SNMP client software is not the kind of software companies put out for users use on a try before you buy basis.
For a large number of network administrators, using Microsoft Proxy Server will be the best way to control company-wide access to the Internet. Using the logging and SNMP monitoring capability of Microsoft Proxy Server, a network administrator can ensure that an Internet link will be used properly and efficiently.