Logs, Log settings, Filename.log, 275 | Kerio Tech Firewall6

Chapter 20

Logs

Logs are ﬁles where history of certain events performed through or detected by WinRoute are recorded and kept. Each log is displayed in a window in the Logs section.

Each event is represented by one record line. Each line starts with a time mark in brack- ets (date and time when the event took place, in seconds). This mark is followed by an information, depending on the log type. If the record includes a URL, it is displayed as a hypertext link. Follow the link to open the page in your default browser.

Optionally, records of each log may be recorded in ﬁles on the local disk7 and/or on the Syslog server.

Locally, the logs are saved in the ﬁles under the logs subdirectory where WinRoute is installed. The ﬁle names have this pattern:

file_name.log

(e.g. debug.log). Each log includes an .idx ﬁle, i.e. an indexing ﬁle allowing faster access to the log when displayed in Administration Console.

Individual logs can be rotated — after a certain time period or when a threshold of the ﬁle size is reached, log ﬁles are stored and new events are logged to a new (empty) ﬁle.

Administration Console allows to save a selected log (or its part) in a ﬁle as plaintext or in HTML. The log saved can be analysed by various tools, published on web servers, etc.

20.1 Log settings

Log parameters (ﬁle names, rotation, sending to a Syslog server) can be set in the Con- ﬁguration → Accounting section. In this section of the guide an overview of all logs used by WinRoute are provided.

Double-click on a selected log (or select a log and click on the Edit button) to open a dialog where parameters for the log can be set.

Note: If the log is not saved in a ﬁle on the disk, only records generated since the last login to WinRoute Firewall Engine will be shown in the Administration Console. After logout (or closing of Administration Console), the records will be lost.

7Local disk is a disk of the computer where WinRoute is installed, not a computer where Administration Console is running!

275

Image 275

Kerio Tech Firewall6 manual Logs, Log settings, Filename.log, 275

Contents

Kerio Technologies Administrator’s GuidePage Contents 113 Remote Administration and Update Checks 209 Kerio Clientless SSL-VPN 355 393 Quick Checklist Page Kerio WinRoute Firewall Basic FeaturesIntroduction Kerio WinRoute Firewall Additional Features User quotas Antivirus controlTransparent support for Active Directory Email alerts Port collision Conﬂicting softwareClientless SSL-VPN Collision of low-level drivers Antivirus applications System requirements InstallationInstallation Steps to be taken before the installation Installation and Basic Conﬁguration Guide Custom installation selecting optional components Protection of the installed product Conﬂicting Applications and System Services WinRoute Engine Monitor WinRoute ComponentsWinRoute Firewall Engine WinRoute Engine Monitor Kerio Administration ConsoleWinRoute Engine Monitor Upgrade and Uninstallation Typically the path C\Program Files\Kerio\WinRoute Firewall Upgrade and UninstallationUninstallation Conﬁguration Wizard Upgrade from WinRoute ProUpdate Checker Setting of administration username and password Remote IP address Remote AccessEnable remote access Initial conﬁguration Allowing remote administration Administration Window WinRoute Administration Help menu WinRoute AdministrationAdministration Window Main menu File Detection of WinRoute Firewall Engine connection drop-out Administration WindowStatus bar Column customization in Interfaces View Settings View Settings License types optional components Product Registration and LicensingLicense types and number of users Deciding on a number of users licenses License types and number of users Homepage License informationProduct Copyright Number of users License IDSubscription expiration date Product expiration date Registration of the trial version Registration of the product in the Administration Console Trial version registration security code Registration of the product in the Administration Console Trial version registration other information Trial version registration Trial ID Registration of the purchased product Product Registration and Licensing Registration of the product in the Administration Console 10 Product registration user information 12 Product registration summary Update of registration information Product registration at the website Subscription / Update Expiration Bubble alerts Subscription / Update Expiration 15 The notice that the subscription has already expired User counter License counter User counterStart WinRoute License release IP Address and Mask Settings for Interfaces and Network ServicesNetwork interfaces Interface Modify Dial or Hang Up /Enebale, DisableAdapter info Add VPN server RefreshSpecial interfaces Dial-In Interface type selection Bind this interface RAS Entry Use login data from the RAS entryUse the following login data Interface name Dial-up demand dial Connection Advanced Hangup if idle Edit Interface parameters Connection Failover Current connection Connection Failover SetupEnable automatic connection failover Connection Failover Conﬁguration of primary and secondary Internet connection Dial-up Use Primary connectionSecondary connection DNS Forwarder conﬁguration DNS Forwarder DNS forwarding Enable DNS forwardingDNS Forwarder Use custom forwarding Enable cache for faster response of repeated queriesEnable DNS forwarding Clear cache 10 Speciﬁc settings of DNS forwarding 11 DNS forwarding a new rule Simple DNS resolution Combine the name ... with DNS domain Before forwarding a query Dhcp server Deﬁnition of Scopes and Reservations Dhcp serverDhcp Server Conﬁguration Domain Lease timeDNS server Wins server 15 Dhcp server IP scopes deﬁnition Description Exclusions First address, Last addressSubnet mask Parameters 00bca5f21e50 Lease Reservations Leases Bc-a5-f2-1e-50 20 Dhcp server list of leased and reserved IP addresses Windows RAS Dhcp server advanced options Declined options Proxy server Proxy Server Conﬁguration Enable non-transparent proxy serverProxy server 22 Http proxy server settings Enable connection to any TCP port Http//192.168.1.13128/pac/proxy.pac Forward to parent proxy server Http protocol TTL Enable cache on transparent proxyEnable cache on proxy server Http cache Cache size Http cache Cache Options Memory cache sizeMax Http object size URL URL Speciﬁc Settings TTL Cache status and administration 26 Http cache administration dialog Network Rules Wizard Traﬃc Policy Selection of Internet connection type Network Rules WizardInformation Network Policy Wizard selection of a connected adapter Network adapter or dial-up selection Allow access to all services Internet access limitations Enabling Kerio VPN traﬃc Allow access to the following services only Service Service is running on Generating the rules NAT Icmp traﬃc Rules Created by the Wizard Local Traﬃc Firewall Traﬃc Name How traﬃc rules workDeﬁnition of Custom Traﬃc Rules 12 Traﬃc rule name, color and rule description Source, Destination IP range e.g Deﬁnition of Custom Traﬃc Rules 100 Service 101 Action 102 Log 103 Translation 20 Traﬃc rule destination address translation 104 105 Valid onProtocol inspector Destination Basic Traﬃc Rule TypesIP Translation NAT Source 107 TranslationPlacing the rule Port mapping 108 109 Limiting Internet AccessMultihoming 110 111 Exclusions 112 Speed limits for users with their quota exceeded How the bandwidth limiter works and how to use itSpeed limits for big data volumes transmissions Bandwidth Limiter 114 Setting limit valuesBandwidth Limiter conﬁguration Bandwidth Limiter 115 ServicesAdvanced Options 116 IP Addresses and Time Interval 117 Bandwidth Limiter selection of network services 118 Detection of connections with large data volume transferred 119 Detection of connections with large data volume transferredExamples 120 121 User AuthenticationFirewall User Authentication 122 User AuthenticationUser authentication advanced options Automatic authentication Ntlm Firewall User AuthenticationRedirection to the authentication Enable non-transparent proxy server authentication 124 Automatically logout users when they are inactive Web Interface Parameters Conﬁguration Enable Kerio SSL-VPN serverEnable Web Interface Http Web Interface WinRoute server name Enable secured Web Interface HttpsAllow access only from these IP addresses Web Interface 127 Conﬁguration of ports of the Web Interface 128 SSL Certiﬁcate for the Web InterfaceGenerate or Import Certiﬁcate SSL certiﬁcate of WinRoute’s Web interface 129 130 Login/logoutWeb Interface Language Preferences Users logged 131 Login/logoutDrdolittle@usoffice.company.com 132 User password authenticationLog out 133 Status information and user statisticsStatus information and user statistics 134 User preferences 135 Save settingsUser preferences 136 10 Editing user password 137 Http protocolFTP protocol 138 Conditions for Http and FTP ﬁlteringURL Rules 139 URL Rules 140 URL Rules Deﬁnition 141 If user accessing the URL isURL matches criteria 142 Allow access to the Web site Denial options Valid at time intervalValid for IP address group Valid if Mime type is 144 WWW content scanning optionsScan content for viruses according to scanning rules Deny Web pages containing 145 Http Inspection Advanced Options 146 Global rules for Web elementsAllow Html ActiveX objects Allow Script Html tags Allow cross-domain referrer Content Rating System ISS OrangeWeb FilterAllow Html JavaScript pop-up windows Allow applet Html tags 148 ISS OrangeWeb Filter conﬁguration ISS OrangeWeb Filter Deployment Enable ISS OrangeWeb FilterCategorize each page regardless of Http rules Server ISS OrangeWeb Filter rule 150 151 Web content ﬁltering by word occurrence 152 Deﬁnition of rules ﬁltering by word occurrence 153 Word groups 154 Deﬁnition of forbidden words Keyword WeightFTP Policy Group 156 If user accessing the FTP server isFTP Rules Deﬁnition FTP server is 15 FTP Rule basic parameters 158 Content 159 160 Antivirus controlConditions and limitations of antivirus scan 161 Conditions and limitations of antivirus scan 162 How to choose and setup antivirusesAntivirus control Integrated McAfee Current virus database is Check for update every ... hoursLast update check performed ... ago Update now 164 Antivirus settingsExternal antivirus An example of a traﬃc rule for outgoing Smtp traﬃc check 165 Http and FTP scanning 167 Http and FTP scanning 168 Http and FTP scanning rulesCondition 169 Mime type 170 Email scanning 171 Email scanning 172 173 IP Address GroupsCreating and Editing IP Address Groups Type Time IntervalsDeﬁnitions Name Daily Time range typesAbsolute Weekly 176 Time Interval TypeFrom, To Valid at days 177 ServicesServices 178 ProtocolProtocol inspector 179 Source Port and Destination PortProtocol Inspectors 180 URL Groups 181 URL Groups 182 Deﬁnitions Group 183 User Accounts and GroupsInternal user database Import of user accounts from Active Directory 184 Viewing and deﬁnitions of user accountsUser Accounts and Groups Local user accounts 186 Local user accountsAccounts mapped from the Active Directory domain Edit User Full Name Local user accountsCreating a local user account Basic information Domain template AuthenticationAccount is disabled Email Address 189 NT domain / KerberosGroups 190 Access rights User can override WWW content rules No access to administrationRead only access to administration Full access to administration 192 Data transmission quotaTransfer quota 193 Content rulesQuota exceed action 194 User’s IP addresses 195 Editing User Account 196 Active DirectoryNT domain 197 Automatic import of user accounts from Active Directory 198 Manual import of user accounts 199 Active Directory domains mappingActive Directory domains mapping Domain mapping requirements 200 Domain AccessSingle domain mapping Active Directory mapping 13 Active Directory domain mapping 201 202 NT authentication supportMultiple domains mapping 16 Conversion of user accounts 203 204 User groupsUser groups Deﬁnitions 205 User groupsCreating a new local user group Name and description of the group 206 Group access rightsRead only access Group members 207 Users can override WWW content rulesUsers can connect using VPN 208 Users are allowed to use P2P networksUsers are allowed to view statistics 209 Remote Administration and Update ChecksSetting Remote Administration How to allow remote administration from the Internet 210 Update CheckingRemote Administration and Update Checks Check now Update CheckingCheck for new versions Check also for beta versions 212 213 Advanced security features15.1 P2P Eliminator P2P Eliminator Conﬁguration 214 Advanced security features 215 15.1 P2P EliminatorParameters for detection of P2P networks 216 Special Security Settings 217 Special Security SettingsAnti-Spooﬁng Connections Count Limit IPSec preferences VPN using IPSec ProtocolEnable Enable pass-through only for hosts 219 VPN using IPSec ProtocolWinRoute’s IPSec conﬁguration IPSec client in local network Traﬃc rule for one IPSec client in the local network 220 221 IPSec server in local network Routing table Other settings 223 Routing tableRoute Types Static routes Metric Deﬁnitions of Dynamic and Static RulesNetwork, Network Mask Gateway How demand dial works Demand DialDemand Dial Removing routes from the Routing Table 226 227 Technical Peculiarities and Limitations 228 Setting Rules for Demand Dial 229 Dial of local DNS names Conﬁguration of the UPnP support Enable UPnPPort mapping timeout Universal Plug-and-Play UPnP Log connections Relay Smtp serverRelay Smtp server Log packets 232 Smtp requires authenticationSpecify sender email address in From header Test 233 234 Status InformationActive hosts and connected users User Login timeLogin duration Hostname Active Hosts dialog options Detailed information on a selected host and user 238 Traﬃc information 239 Activity DescriptionConnections 240 Source, Destination 241 Histogram 242 Show connections related to the selected process 243 Show connections related to the selected process 244 Options of the Connections DialogKill connection 245 Color SettingsFont Color Background Color 246 Alerts SettingsAlerts 247 AlertsAlert 248 Alert Templates 249 \Program Files\Kerio\WinRoute Firewall\templates by defaultAlerts overview in Administration Console 13 Details of a selected event 250 251 Basic statisticsInterface statistics 252 Reset interface statisticsBasic statistics Interface Statistics menu 253 Interface statisticsRemove interface statistics Graphical view of interface load 254 User Statistics data volumes and quotas 255 User Statistics data volumes and quotasUser Statistics dialog options 256 Reset user statisticsRemove user statistics View host 257 Kerio StaR statistics and reportingMonitoring and storage of statistic data 258 Settings for statistics and quotaKerio StaR statistics and reporting Requirements of the statistics 259 Settings for statistics and quotaEnable/disable gathering of statistic data Advanced settings for statistics 260 Statistics and quota restrictions Statistics and quota accounting periods Accessing the statistics from the WinRoute hostRemote access to the statistics Connection to StaR and viewing statistics 262 StaR page in the web interface 263 Accounting period Custom accounting period 264 265 Overall ViewOverall View 266 Top Requested Web CategoriesTop 5 users 267 Used Protocol 268 269 User statisticsUser statistics 13 The Users by Traﬃc table Users by Traﬃc Top Visited Websites Top Visited Websites 272 Top Requested Web Categories 16 Top visited websites sorted by categories 273 274 275 Log settingsLogs Filename.log 276 File Logging 277 Log settingsSyslog Logging Logs Context Menu Select font Logs Context MenuFind Highlighting Log highlighting Logs EncodingLog debug Clear log Log highlighting settings 282 Debug log advanced settings Alert Log Alert Log 284 20.4 Conﬁg LogLogs 285 Connection LogConnection Log 286 Debug LogDial Log Page 288 15/Mar/2004 155912 Line Connection disconnected 289 Error LogError Log 290 ’McAfee update’ rule nameFilter Log 291 Http logHttp log 292 1058444114.733 0 192.168.64.64 TCPMISS/304 293 Security LogSecurity Log 294 Authentication service Client IP address reason 17/Dec/2004 122243 Engine Shutdown Sslvpn LogSslvpn Log 17/Dec/2004 121133 Engine Startup 24/Apr/2003 102951 192.168.44.128 james Web Log Web Log 297 298 Kerio VPN 299 VPN Server Conﬁguration IP address assignment Enable VPN serverKerio VPN General 301 SSL certiﬁcate 302 AdvancedListen on port 303 Custom Routes 304 21.2 Conﬁguration of VPN clientsBasic conﬁguration of traﬃc rules for VPN clients 305 Setting up VPN serversDeﬁnition of a tunnel to a remote server Name of the tunnel 306 Conﬁguration 307 Conﬁguration of a remote end of the tunnel 308 DNS SettingsRouting settings 309 Connection establishment 310 Traﬃc Policy Settings for VPN 311 Exchange of routing informationExchange of routing information Routing conﬁguration options 312 Update of routing tablesRoutes provided automatically 313 Example of Kerio VPN conﬁguration company with a ﬁlial oﬃceSpeciﬁcation 314 Common method 315 316 Headquarters conﬁguration 317 14 Headquarter creating default traﬃc rules for Kerio VPN 16 Headquarter DNS forwarder conﬁguration 318 319 19 Headquarters VPN server conﬁguration 320 321 LAN 322 Conﬁguration of a ﬁlial oﬃce 323 24 Filial oﬃce default traﬃc rules for Kerio VPN 25 Filial oﬃce DNS forwarder conﬁguration 324 325 28 Filial oﬃce VPN server conﬁguration 326 29 Filial oﬃce deﬁnition of VPN tunnel for the headquarters 327 328 Example of a more complex Kerio VPN conﬁgurationVPN test 329 Common method 330 331 332 33 Headquarter creating default traﬃc rules for Kerio VPN 35 Headquarter DNS forwarder conﬁguration 333 Kerio VPN 38 Headquarters VPN server conﬁguration 335 39 Headquarter deﬁnition of VPN tunnel for the London ﬁlial 336 337 338 43 Headquarter ﬁnal traﬃc rules 339 340 Conﬁguration of the London ﬁlial 341 46 The London ﬁlial oﬃce default traﬃc rules for Kerio VPN 342 48 The London ﬁlial oﬃce DNS forwarding settings 343 344 345 54 The London ﬁlial oﬃce ﬁnal traﬃc rules 346 347 Conﬁguration of the Paris ﬁlial 57 The Paris ﬁlial oﬃce DNS forwarder conﬁguration 348 59 The Paris ﬁlial oﬃce VPN server conﬁguration 349 350 351 352 64 The Paris ﬁlial oﬃce ﬁnal traﬃc rules 353 354 355 Kerio Clientless SSL-VPN22.1 Conﬁguration of WinRoute’s SSL-VPN SSL-VPN conﬁguration 356 Allowing access from the InternetKerio Clientless SSL-VPN Https//server12345 Usage of the SSL-VPN interfaceUsage of the SSL-VPN interface Https//server 358 Sidneywashington@usoffice.company.comHandling ﬁles and folders 359 \\server\folder\subfolderAntivirus control Bookmarks 360 TroubleshootingDetection of incorrect conﬁguration of the default gateway 23.2 Conﬁguration Backup and Transfer Dnscache.cfg SslcertLicense Cache.CFS 363 Handling conﬁguration ﬁles Conﬁguration backup recoveryStar List name=Interfaces 365 Automatic user authentication using NtlmGeneral conditions 366 WinRoute Conﬁguration Microsoft Internet Explorer Automatic user authentication using NtlmNtlm authentication process Web browsers 368 Firefox/Netscape/Mozilla/SeaMonkeyFirefox/Netscape/Mozilla/SeaMonkey conﬁguration 369 Partial Retirement of Protocol InspectorPartial Retirement of Protocol Inspector 370 How to enable certain users to access the InternetUser accounts and groups in traﬃc rules 371 Enabling automatic authentication 372 FTP on WinRoute’s proxy serverExample of a client conﬁguration web browser 373 Example of a client conﬁguration Total CommanderFTP on WinRoute’s proxy server 374 12 Setting proxy server for FTP in Total Commander 375 Network Load BalancingBasic Information and System Requirements Network Conﬁguration 376 Network Load Balancing 377 24.3 Conﬁguration of the servers in the clusterNLB conﬁguration for Server1 Server 1 cluster parameters 378 379 NLB conﬁguration for Server2 380 Technical supportEssential Information Description License type and license number Error Log FilesTested in Beta version Informational File Czech Republic ContactsUnited Kingdom Legal Presumption 384 Used open-source librariesLibiconv OpenSSL 385 PrototypeCopyright 2005 Sam Stephenson Zlib Cluster Default gatewayGlossary of terms ActiveX 387 FirewallGreylisting 388 Glossary of terms IP addressIPSec Kerberos Port Network adapterP2P network Packet Script Glossary of termsProxy server Routing table 391 Spooﬁng 392 TCP/IP 393 Index 394 Index 395 Ntlm 396 VPN 397 133