Overview
Logs keep information records of selected events occurred in or detected by Kerio Control. Each log is displayed in a window in the Logs section. For this particular content, we will focus on filter logs in Kerio Control.
What is it?
The Filter log gathers information on web pages and objects blocked/allowed by the HTTP and FTP filters and on packets matching traffic rules with the Log packets option enabled or meeting other conditions (e.g. logging of UPnP traffic).
Each log line includes the following information depending on the component that generated the log:
- When an HTTP or FTP rule is applied: rule name, user, IP address of the host that sent the request and object's URL.
- When a traffic rule is applied: detailed information about the packet that matches the rule (rule name, source and destination address, ports, size, etc.). The format of the logged packets is defined by the template that you can edit through the Filter log context menu.
Sample logs and message format:
1. URL rule log message:
| [18/Apr/2013 13:39:45] ALLOW URL 'Kerio Antivirus update' 192.168.64.142 jsmith HTTP GET http://update.kerio.com/antivirus/datfiles/4.x/dat-4258.zip | |
| Message component | Description |
| [18/Apr/2013 13:39:45] |
Date and time when the event was logged |
| ALLOW |
Action that was executed (ALLOW = access allowed, DENY = access denied) |
| URL |
Rule type (for URL or FTP) |
| Kerio Antivirus update |
Rule name |
| 192.168.64.142 |
IP address of the client |
| jsmith |
Name of the user authenticated on the firewall |
| HTTP GET |
HTTP method used in the request |
| http://update.kerio.com/antivirus /datfiles/4.x/dat-4258.zip |
Requested URL |
2. Packet log example:
| [16/Apr/2013 10:51:00] PERMIT 'Local traffic' packet to LAN, proto:TCP, len:47, ip/port:195.39.55.4:41272 - 192.168.1.11:3663, flags: ACK PSH, seq:1099972190 ack:3795090926, win:64036, tcplen:7 | |
| Message component | Description |
| [16/Apr/2013 10:51:00] |
Date and time when the event was logged |
| PERMIT |
Action that was executed with the packet (PERMIT, DENY or DROP) |
| Local traffic |
The name of the traffic rule that was matched by the packet |
| packet to |
Packet direction (either to or from a particular interface) |
| LAN |
Name of the interface on which the traffic was detected |
| proto: |
Transport protocol (TCP, UDP, etc.) |
| len: |
Packet size in bytes (including the headers) in bytes |
| ip/port: |
Source IP address, source port, destination IP address and destination port |
| flags: |
TCP flags |
| seq: |
Sequence number of the packet (TCP only) |
| ack: |
Acknowledgment sequence number (TCP only) |
| win: |
Size of the receive window in bytes (it is used for data flow control TCP only) |
| tcplen: |
TCP payload size (i.e. size of the data part of the packet) in bytes (TCP only) |
Priyanka Bhotika
Comments