Using the Filter log

Logs keep information records of selected events occurred in or detected by Kerio Control. For more information refer to Using and configuring logs.

The Filter log gathers information on web pages and objects blocked/allowed by the HTTPHypertext Transfer Protocol - protocol for exchange of hypertext documents in HTML. and FTPFile Transfer Protocol - Protocol for transferring computer files from a server. filters and on packets matching traffic rules with the Log packets option enabled or meeting other conditions (e.g. logging of UPnP traffic).

Each log line includes the following information depending on the component which generated the log:

  • When an HTTP or FTP rule is applied: rule name, user, IP addressAn identifier assigned to devices connected to a TCP/IP network. of the host which sent the request and object's URL.
  • When a traffic rule is applied: detailed information about the packet that matches the rule (rule name, source and destination address, ports, size, etc.). Format of the logged packets is defined by template which can be edited through the Filter log context menu. Detailed help is available in the dialog for template definition.

Selection of information monitored by the Filter log

For logging network traffic a template is used which defines which information will be recorded and what format will be used for the log. This helps make the log more transparent and reduce demands on disk space. To configure the template:

  1. In the administration interface, go to Logs > Filter.
  2. In the context menu, click Format of logged packets.
  3. Type an expression.
  4. Click OK.

For more information refer to Log packet formatting.

Reading the Filter log

Example of a URL rule log message

[18/Apr/2013 13:39:45] ALLOW URL 'Kerio Antivirus update' standa HTTP GET

  • [18/Apr/2013 13:39:45] date and time when the event was logged
  • ALLOW — action that was executed (ALLOW = access allowed, DENY = access denied)
  • URL — rule type (for URL or FTP)
  • 'Kerio Antivirus update' — rule name
  • — IP address of the client
  • jsmith — name of the user authenticated on the firewall (no name is listed unless at least one user is logged in from the particular host)
  • HTTP GET — HTTP method used in the request
  • http:// ... — requested URL

Packet log example

[16/Apr/2013 10:51:00] PERMIT 'Local traffic' packet to LANLocal area network - A network that connects computers and other devices in a small area., proto:TCPTransmission Control Protocol - ensures packet transmission., len:47, ip/port: -, flags: ACK PSH, seq:1099972190 ack:3795090926, win:64036, tcplen:7

  • [16/Apr/2013 10:51:00] — date and time when the event was logged
  • PERMIT — action that was executed with the packet (PERMIT, DENY orDROP)
  • Local traffic — the name of the traffic rule that was matched by the packet
  • packet to — packet direction (eitherto or from a particular interface)
  • LAN — name of the interface on which the traffic was detected
  • proto: — transport protocol (TCP, UDPUser Datagram Protocol - ensures packet transmission., etc.)
  • len: — packet size in bytes (including the headers) in bytes
  • ip/port: — source IP address, source port, destination IP address and destination port
  • flags: — TCP flags
  • seq: — sequence number of the packet (TCP only)
  • ack: — acknowledgement sequence number (TCP only)
  • win: — size of the receive window in bytes (it is used for data flow control TCP only)
  • tcplen: — TCP payload size (i.e. size of the data part of the packet) in bytes (TCP only)