Using the Http log
Logs keep information records of selected events occurred in or detected by Kerio Control. For more information about configuring and using logs, see article Configuring and using logs in Kerio Control.
This log contains all Http requests that were processed by the Http inspection module or by the built-in proxy server.
Http log has the standard format of either the Apache WWW server (see http://www.apache.org/) or of the Squid proxy server (see http://www.squid-cache.org/).
Format of the log can be set through the context menu. The change will take effect with the next new log record (it is not possible convert existing records).
NOTE
- Only accesses to allowed pages are recorded in the Http log. Request that were blocked by content rules are logged to the Filter log, if the Log option is enabled in the particular rule.
- The Http log is intended to be processes by external analytical tools. The Web log is better suited to be viewed by the Kerio Control administrator.
Reading the Http log
An example of an Http log record in the Apache format
192.168.64.64 - jsmith
[18/Apr/2013:15:07:17 +0200] "GET
http://www.kerio.com/ HTTPHypertext Transfer Protocol - protocol for exchange of hypertext documents in HTML./1.1" 304 0 +4
192.168.64.64— IP addressAn identifier assigned to devices connected to a TCP/IP network. of the client hostjsmith— name of the user authenticated through the firewall (a dash is displayed if no user is authenticated through the client)[18/Apr/2013:15:07:17 +0200]— date and time of the HTTP request. The+0200value represents time difference from the UTC standard (+2 hours are used in this example — CET).GET— used HTTP methodhttp://www.kerio.com— requested URLHTTP/1.1— version of the HTTP protocol304— return code of the HTTP protocol0— size of the transferred object (file) in bytes+4— count of HTTP requests transferred through the connection
An example of Http log record in the Squid format
1058444114.733 0 192.168.64.64 TCPTransmission Control Protocol - ensures packet transmission._MISS/304 0
GET http://www.squid-cache.org/ - DIRECT/206.168.0.9
1058444114.733— timestamp (seconds and milliseconds since January 1st, 1970)0— download duration (not measured in Kerio Control, always set to zero)192.168.64.64— IP address of the client (i.e. of the host from which the client is connected to the website)TCP_MISS— the TCP protocol was used and the particular object was not found in the cache (missed). Kerio Control always uses this value for this field.304— return code of the HTTP protocol0— transferred data amount in bytes (HTTP object size)GET http://www.squid-cache.org/— the HTTP request (HTTP method and URL of the object)DIRECT— the WWW server access method (Kerio Control always uses direct access)206.168.0.9— IP address of the WWW server