Logs keep information records of selected events occurred in or detected by Kerio Control. The Filter log gathers information on web pages and objects blocked/allowed by the HTTP and FTP filters and on packets matching traffic rules with the Log packets option enabled or meeting other conditions (e.g. logging of UPnP traffic).
Each log line includes the following information depending on the component that generated the log:
- When an HTTP or FTP rule is applied: rule name, user, IP address of the host that sent the request and object's URL.
- When a traffic rule is applied: detailed information about the packet that matches the rule (rule name, source and destination address, ports, size, etc.). The format of the logged packets is defined by a template that can be edited through the Filter log context menu. Detailed help is available in the dialog for template definition.
Selecting the Information Monitored by the Filter Log
To log network traffic, there is a template that defines which information will be recorded and what format will be used for the log. This helps make the log more transparent and reduce demands on disk space. To configure the template:
- In the administration interface, go to Logs > Filter.
- In the context menu, click Format of logged packets.
- Type an expression.
- Click OK.
Reading the Filter Log
URL Rule Log Message Example
[18/Apr/2013 13:39:45] ALLOW URL 'Kerio Antivirus update' 192.168.64.142 standa HTTP GET http://update.kerio.com/antivirus/datfiles/4.x/dat-4258.zip
- [18/Apr/2013 13:39:45] date and time when the event was logged
- ALLOW — action that was executed (ALLOW = access allowed, DENY = access denied)
- URL — rule type (for URL or FTP)
- 'Kerio Antivirus update' — rule name
- 192.168.64.142 — IP address of the client
- jsmith — name of the user authenticated on the firewall (no name is listed unless at least one user is logged in from the particular host)
- HTTP GET — HTTP method used in the request
- http:// ... — requested URL
Packet Log Example
[16/Apr/2013 10:51:00] PERMIT 'Local traffic' packet to LAN, proto:TCP, len:47, ip/port:126.96.36.199:41272 - 192.168.1.11:3663, flags: ACK PSH, seq:1099972190 ack:3795090926, win:64036, tcplen:7
- [16/Apr/2013 10:51:00] — date and time when the event was logged
- PERMIT — action that was executed with the packet (PERMIT, DENY orDROP)
- Local traffic — the name of the traffic rule that was matched by the packet
- packet to — packet direction (eitherto or from a particular interface)
- LAN — name of the interface on which the traffic was detected
- proto: — transport protocol (TCP, UDP, etc.)
- len: — packet size in bytes (including the headers) in bytes
- ip/port: — source IP address, source port, destination IP address and destination port
- flags: — TCP flags
- seq: — sequence number of the packet (TCP only)
- ack: — acknowledgement sequence number (TCP only)
- win: — size of the receive window in bytes (it is used for data flow control TCP only)
- tcplen: — TCP payload size (i.e. size of the data part of the packet) in bytes (TCP only)
Confirmation: You have selected the information to monitor via the filter log.