Using the Security log

Logs keep information records of selected events occurred in or detected by Kerio Control. For more information about configuring and using logs, see article Configuring and using logs in Kerio Control.

The Security log is a log for security-related messages.

Reading the Security log

Records of the following types may appear in the log:

Intrusion prevention system logs

Records of detected intrusions or traffic from IP addresses included in web databases of known intruders (blacklists).

[02/Mar/2013 08:54:38] IPS: Packet drop, severity: High, Rule ID: 1:2010575 ET TROJAN ASProtect/ASPack Packed Binaryproto:TCPTransmission Control Protocol - ensures packet transmission., ip/port:95.211.98.71:80(hosted-by.example.com) > 192.168.48.131:49960(wsmith-pc.company.com,user:wsmith)

  • IPS: Packet drop — the particular intrusion had the action set for Log and drop (in case of the Log action, IPS: Alert)
  • severity: High — severity level
  • Rule ID: 1:2010575 — number identifier of the intrusion (this number can be used for definition of exceptions from the intrusion detection system, i.e. in the system's advanced settings)
  • ET TROJAN ASProtect/ASPack... — intrusion name and description (only available for some intrusions)
  • proto:TCP — traffic protocol used
  • ip/port:95.211.98.71:80(hosted-by.example.com)— source IP addressAn identifier assigned to devices connected to a TCP/IP network. and port of the detected packet; the brackets provide information of the DNSDomain Name System - A database enables the translation of hostnames to IP addresses and provides other domain related information. name of the particular computer, in case that it is identifiable
  • > 192.168.48.131:49960(wsmith-pc.company.com,user:wsmith)— destination IP address and port in the detected packet; the brackets provide DNS name of the particular host (if identifiable) or name of the user connected to the firewall from the particular local host

Anti-spoofing log records

Messages about packets that where captured by the Anti-spoofing module (packets with invalid source IP address).

[17/Jul/2013 11:46:38] Anti-Spoofing: Packet from LANLocal area network - A network that connects computers and other devices in a small area., proto:TCP, len:48, ip/port:61.173.81.166:1864 > 195.39.55.10:445, flags: SYN, seq:3819654104 ack:0, win:16384, tcplen:0

  • packet from — packet direction (eitherfrom, i.e. sent via the interface, or to, i.e. received via the interface)
  • LAN — name of the interface on which the traffic was detected
  • proto: — transport protocol (TCP, UDPUser Datagram Protocol - ensures packet transmission., etc.)
  • len: — packet size in bytes (including the headers) in bytes
  • ip/port: — source IP address, source port, destination IP address and destination port
  • flags: — TCP flags
  • seq: — sequence number of the packet (TCP only)
  • ack: — acknowledgement sequence number (TCP only)
  • win: — size of the receive window in bytes (it is used for data flow control TCP only)
  • tcplen: — TCP payload size (i.e. size of the data part of the packet) in bytes (TCP only)

FTP protocol parser log records

Example 1

[17/Jul/2013 11:55:14] FTPFile Transfer Protocol - Protocol for transferring computer files from a server.: Bounce attack attempt: client: 1.2.3.4, server: 5.6.7.8, command: PORT 10,11,12,13,14,15

(attack attempt detected — a foreign IP address in the PORT command)

Example 2

[17/Jul/2013 11:56:27] FTP: Malicious server reply: client: 1.2.3.4, server: 5.6.7.8, response: 227 Entering Passive Mode (10,11,12,13,14,15)

(suspicious server reply with a foreign IP address)

Failed user authentication log records

Message format:

Authentication: Service: Client: IP adress: reason

  • service — the Kerio Control service to which the client connects:
  • IP address — IP address of the computer from which the user attempted to authenticate
  • reason — reason of the authentication failure (nonexistent user/ wrong password)

Information about the start and shutdown of the Kerio Control Engine and some Kerio Control components

Start and shutdown of the Kerio Control Engine:

[17/Jun/2013 12:11:33] Engine: Startup

[17/Jun/2013 12:22:43] Engine: Shutdown

Start and shutdown of the Intrusion Prevention Engine:

[28/Jun/2013 10:58:58] Intrusion Prevention engine: Startup

[28/Jun/2013 11:18:52] Intrusion Prevention engine: Shutdown

Updating components

Kerio Control uses components (antivirus engine and signatures, Intrusion Prevention signatures and blacklists). Updates of these components are logged in the Security log:

[09/Jul/2013 17:00:58] IPS: Basic rules successfully updated to version 1.176

[10/Jul/2013 11:56:18] Antivirus update: Kerio Antivirus database has been successfully updated. Kerio Antivirus engine version/Signature count: (AVCORE v2.1 Linux/x86_64 11.0.1.12 (Sep 29, 2016)/8528221) is now active.