Chapter 22 Logs
278
An example of an HTTP log record in the Apache format
192.168.64.64 - jflyaway
[18/Apr/2008:15:07:17 +0200]
"GET http://www.kerio.com/ HTTP/1.1" 304 0 +4
•192.168.64.64 — IP address of the client host
•rgabriel — name of the user authenticated through the firewall (a dash is displayed
if no user is authenticated through the client)
•[18/Apr/2008:15:07:17 +0200] — date and time of the HTTP request. The +0200
value represents time difference from the UTC standard (+2 hours are used in this
example — CET).
•GET — used HTTP method
•http://www.kerio.com — requested URL
•HTTP/1.1 — version of the HTTP protocol
•304 — return code of the HTTP protocol
•0— size of the transferred object (file) in bytes
•+4 — count of HTTP requests transferred through the connection
An example of Http log record in the Squid format
1058444114.733 0 192.168.64.64 TCP_MISS/304 0
GET http://www.squid-cache.org/ - DIRECT/206.168.0.9
•1058444114.733 — timestamp (seconds and milliseconds since January 1st, 1970)
•0— download duration (not measured in WinRoute, always set to zero)
•192.168.64.64 — IP address of the client (i.e. of the host from which the client is
connected to the website)
•TCP_MISS — the TCP protocol was used and the particular object was not found in the
cache (“missed”). WinRoute always uses this value for this field.
•304 — return code of the HTTP protocol
•0— transferred data amount in bytes (HTTP object size)
•GET http://www.squid-cache.org/— the HTTP request (HTTP method and URL of
the object)
•DIRECT — the WWW server access method (WinRoute always uses DIRECT access)
•206.168.0.9 — IP address of the WWW server
22.11 Security LogA log for security-related messages. Records of the following types may appear in the log:
1. Anti-spoofing log records
Messages about packets that where captured by the Anti-spoofing module (packets with
invalid source IP address — see section 17.2 for details)