Overview
Logs keep information records of selected events that occurred in or detected by Kerio Control. These reports contain all HTTP (Hypertext Transfer Protocol) requests that were processed by the inspection module or by the built-in proxy server. This article explains the HTTP Logs, its syntax and how it is analyzed.
Reference Information
HTTP logs have the standard format of either the Apache www server or of the Squid proxy server.
The format of the log can be set through the context menu. The change will take effect with the next new log record (it is not possible to convert existing records).
NOTE
- Only accesses to allowed pages are recorded in the HTTP log. A request that was blocked by content rules is logged to the Filter log if the Log option is enabled in the particular rule.
- The HTTP log is intended to be processed by external analytical tools. The Weblog is better suited to be viewed by the Kerio Control administrator.
Reading the HTTP Logs
Below is an example of an HTTP log record in the Apache format:
192.168.64.64 - jsmith [18/Apr/2013:15:07:17 +0200] "GET http://www.kerio.com/ HTTP/1.1" 304 0 +4
-
192.168.64.64
— The IP address of the client host. -
jsmith
— Name of the user authenticated through the firewall (a dash is displayed if no user is authenticated through the client) -
[18/Apr/2013:15:07:17 +0200]
— The date and time of the HTTP request. The+0200
value represents the time difference from the UTC standard (+2 hours are used in this example — CET). -
GET
— This is the HTTP method used. -
http://www.kerio.com
— The requested URL. -
HTTP/1.1
— The version of the HTTP protocol. -
304
— The return code of the HTTP protocol. -
0
— The size of the transferred object (file) in bytes. -
+4
— The count of HTTP requests transferred through the connection.
An example of HTTP log record in the Squid format
1058444114.733 0 192.168.64.64 TCP_MISS/304 0 GET http://www.squid-cache.org/ - DIRECT/206.168.0.9
-
1058444114.733
— Timestamp (seconds and milliseconds since January 1st, 1970) -
0
— The download duration (not measured in Kerio Control, always set to zero) -
192.168.64.64
— The IP address of the client (i.e. of the host from which the client is connected to the website) -
TCP_MISS
— The TCP protocol was used and the particular object was not found in the cache (missed). Kerio Control always uses this value for this field. -
304
— The return code of the HTTP protocol. -
0
— The amount of data transferred in bytes (HTTP object size). -
GET http://www.squid-cache.org/
— The HTTP request (HTTP method and URL of the object). -
DIRECT
— The www server access method (Kerio Control always uses direct access). -
206.168.0.9
— The IP address of the www server.