Using the Http log

Logs keep information records of selected events occurred in or detected by Kerio Control. For more information about configuring and using logs, see article Configuring and using logs in Kerio Control.

This log contains all Http requests that were processed by the Http inspection module or by the built-in proxy server.

Http log has the standard format of either the Apache WWW server (see http://www.apache.org/) or of the Squid proxy server (see http://www.squid-cache.org/).

Format of the log can be set through the context menu. The change will take effect with the next new log record (it is not possible convert existing records).

NOTE

  1. Only accesses to allowed pages are recorded in the Http log. Request that were blocked by content rules are logged to the Filter log, if the Log option is enabled in the particular rule.
  2. The Http log is intended to be processes by external analytical tools. The Web log is better suited to be viewed by the Kerio Control administrator.

Reading the Http log

An example of an Http log record in the Apache format

192.168.64.64 - jsmith [18/Apr/2013:15:07:17 +0200] "GET http://www.kerio.com/ HTTPHypertext Transfer Protocol - protocol for exchange of hypertext documents in HTML./1.1" 304 0 +4

  • 192.168.64.64IP addressAn identifier assigned to devices connected to a TCP/IP network. of the client host
  • jsmith — name of the user authenticated through the firewall (a dash is displayed if no user is authenticated through the client)
  • [18/Apr/2013:15:07:17 +0200] — date and time of the HTTP request. The +0200 value represents time difference from the UTC standard (+2 hours are used in this example — CET).
  • GET — used HTTP method
  • http://www.kerio.com — requested URL
  • HTTP/1.1 — version of the HTTP protocol
  • 304 — return code of the HTTP protocol
  • 0 — size of the transferred object (file) in bytes
  • +4 — count of HTTP requests transferred through the connection

An example of Http log record in the Squid format

1058444114.733 0 192.168.64.64 TCPTransmission Control Protocol - ensures packet transmission._MISS/304 0 GET http://www.squid-cache.org/ - DIRECT/206.168.0.9

  • 1058444114.733 — timestamp (seconds and milliseconds since January 1st, 1970)
  • 0 — download duration (not measured in Kerio Control, always set to zero)
  • 192.168.64.64 — IP address of the client (i.e. of the host from which the client is connected to the website)
  • TCP_MISS — the TCP protocol was used and the particular object was not found in the cache (missed). Kerio Control always uses this value for this field.
  • 304 — return code of the HTTP protocol
  • 0 — transferred data amount in bytes (HTTP object size)
  • GET http://www.squid-cache.org/ — the HTTP request (HTTP method and URL of the object)
  • DIRECT — the WWW server access method (Kerio Control always uses direct access)
  • 206.168.0.9 — IP address of the WWW server