Security log, 11 security log – Kerio Tech KERIO WINROUTE FIREWALL 6 User Manual
Page 278
Chapter 22
Logs
278
An example of an HTTP log record in the Apache format
192.168.64.64 - jflyaway
[18/Apr/2008:15:07:17 +0200]
"GET http://www.kerio.com/ HTTP/1.1" 304 0 +4
•
192.168.64.64
— IP address of the client host
•
rgabriel
— name of the user authenticated through the firewall (a dash is displayed
if no user is authenticated through the client)
•
[18/Apr/2008:15:07:17 +0200]
— date and time of the HTTP request. The +0200
value represents time difference from the UTC standard (+2 hours are used in this
example — CET).
•
GET
— used HTTP method
•
http://www.kerio.com
— requested URL
•
HTTP/1.1
— version of the HTTP protocol
•
304
— return code of the HTTP protocol
•
0
— size of the transferred object (file) in bytes
•
+4
— count of HTTP requests transferred through the connection
An example of Http log record in the Squid format
1058444114.733 0 192.168.64.64 TCP_MISS/304 0
GET http://www.squid-cache.org/ - DIRECT/206.168.0.9
•
1058444114.733
— timestamp (seconds and milliseconds since January 1st, 1970)
•
0
— download duration (not measured in WinRoute, always set to zero)
•
192.168.64.64
— IP address of the client (i.e. of the host from which the client is
connected to the website)
•
TCP_MISS
— the TCP protocol was used and the particular object was not found in the
cache (“missed”). WinRoute always uses this value for this field.
•
304
— return code of the HTTP protocol
•
0
— transferred data amount in bytes (HTTP object size)
•
GET http://www.squid-cache.org/
— the HTTP request (HTTP method and URL of
the object)
•
DIRECT
— the WWW server access method (WinRoute always uses DIRECT access)
•
206.168.0.9
— IP address of the WWW server
22.11 Security Log
A log for security-related messages. Records of the following types may appear in the log:
1.
Anti-spoofing log records
Messages about packets that where captured by the Anti-spoofing module (packets with
invalid source IP address — see section
for details)