Overview
Log packet formatting in the Filter and Debug logs allows further customization of the output to make the logs easier for you to read. This article explains these customization options and how to use them in Kerio Control.
Process
-
In Kerio Control's administration interface, navigate to Logs > Debug/Filter.
-
In the Context menu, click on Format of logged packets.
-
Type an expression for the format of logs.
-
Click OK.
Creating an Expression
Special expressions or templates define the format of logged packets in Kerio Control. You can edit these templates to get transparent and relevant information. The default template for packet logging follows this pattern:
%DIRECTION%, %IF%, proto:%PROTO%, len:%PKTLEN%, %SRC% - %DST%, %PAYLOAD%
Expressions introduced with %
are variables. Other characters and symbols represent static text as printed in the log. The below table describes the variables that can be used in packet logging templates:
Variable |
Description |
|
It is the traffic direction concerning the particular network interface of the firewall (incoming/outgoing). |
|
Interface name. |
|
It represents the protocol type (TCP, UDP, etc.) |
|
Packet size. |
|
It is the source IP address and port (depending on the |
|
It is the destination IP address and port (depending on the Raw protocol attribute). |
|
Source MAC address. |
|
Destination MAC address. |
|
It is the size of the data part of the packet with details provided (depending on the Raw protocol attribute). |
|
It is the size of the data part of the packet. |
|
DSCP value in the IP header. |
If you wanted to track the direction on an interface, the source, destination, and size of the packet, for example, the template you would use is as follows:
%DIRECTION% %IF%, %SRC% >> %DST%, length %PKTLEN%
Which results in the following structure:
[08/Sep/2012 11:47:39] PERMIT "Firewall traffic" packet from WAN, 192.168.52.2:53 >>
:1035, length 96
[08/Sep/2012 11:47:39] PERMIT "Firewall traffic" packet to WAN, 192.168.52.128:1035 >> 192.168.52.2:53, length 63If you want to show the protocol being used, the template to be used would be the following:
%DIRECTION% %IF% %PROTO% (%SRC% >> %DST%)
Which results in the following structure:
[08/Sep/2012 16:12:33] PERMIT "Firewall traffic" packet to WAN UDP (192.168.52.128:1121 >> 192.168.52.2:53) [08/Sep/2012 16:12:33] PERMIT "Firewall traffic" packet from WAN UDP (192.168.52.2:53 >> 192.168.52.128:1121)
Confirmation
After this change has been applied, the logs will update with the new view.
Note: This change is not retroactive and will not alter the previous format of your logged data, and it will be applied to both the Filter and Debug log at the same time. It is not possible to set different customizations for each log.