ESP Logs

1 Introduction

This Technical Note provides supplementary information about the Edge Security Pack (ESP) logs in the KEMP LoadMaster. For further information on ESP in general, refer to the ESP Feature Description on the KEMP Documentation Page.

2 ESP SSO Debug Logs

ESP SSO debug logs are extensive. The primary purpose of these logs is to provide deep insight into processing and developer-level debugging information. While these logs are not documented, they are verbose in nature. They can be examined for information and parsed where necessary.

These logs are debug level and are disabled by default under normal operating conditions.

Generally, these logs are only enabled in collaboration with KEMP Customer Support personnel, to provide assistance with troubleshooting problematic flows.

3 ESP Extended Logs

These logs are generated from the L7 layer of the LoadMaster system. They provide insight into ESP and security-related events on the system. The format of these logs rarely change, unless there is a specific request to add extra information (which typically would be new data at the end of the string).

Three identifiers are used:


These map to the corresponding files on the system:

  • /var/log/userlog/connection
  • /var/log/userlog/user
  • /var/log/userlog/security

For more information on each of the log types, refer to the sections below.

3.1 Connection Logs

The connection logs provide information relating to the client, Virtual Service, Real Server, and the nature of the connection (if SSL is in use or not).



SSL accept on "VSIP:Port" from "Client IP:Port"



Connect from "ClientIP:Port" to "RSIP:Port" using "VSIP:Port"

3.2 User Logs

User logs reflect the activity of the user. The logs have the following format.



"VSIP:Port" ("RSIP:Port") User "USERNAME" requested|attempted "HTTP METHOD" "URI" "USERAGENT"


  • USERNAME reflects the user
  • The log indicates what the user requested OR attempted
  • HTTP METHOD reflects the HTTP method used, for example, GET or POST
  • URI comprises of http or https, the host being accessed, and the path and query as presented
  • USERAGENT is the User Agent header from the HTTP request (if enabled to be included)



The user logs also explicitly shows log off activity.



"VSIP:Port": User "USERNAME" logged off



For common activity events (for example, log on and access denied), or if a dialogue is required between the client and LoadMaster (for example, for two-factor authentication), the user logs capture this detail in a simple user log message.



"VSIP:Port": User "USERNAME" "MESSAGE" from "HOST"

Where the MESSAGE can be:

  • logged on
  • denied access
  • blocked access
  • requires passphrase
  • requires re-enter passphrase
  • requires pin
  • requires re-enter pin
  • requires password reset

4 Security Logs

These logs are generated when configuration on the LoadMaster prevents access to a service, or the LoadMaster detects something malicious regarding the request.



Attempted XSS attack on "VSIP:Port" from "ClientIP:Port" (dtcode "INTERNAL DETECTION CODE")



Blocked access to invalid "TARGET" "HOST" from "ClientIP:Port" to "VSIP:Port"\n


  • TARGET is the directory or host
  • HOST is the host information from HTTP request or [No host specified]



Blocked SMTP access to "MAIL ADDRESS" from "ClientIP:Port" to "VSIP:Port"

SMTP parse failure of data from "ClientIP:Port" to "VSIP:Port"

Last Updated Date

This document was last updated on 22 January 2018.

Was this article helpful?

0 out of 0 found this helpful