HTTPS does not records in Mikrotik log

eng2alaa · November 15, 2017, 9:26am

Hi All,

there is log show in log screen but it show only HTTP requests, can I see HTTPS requests in log screen?

normis · November 15, 2017, 9:30am

Not sure what you mean about HTTP logs. Did you configure transparent proxy for HTTP and enabled logging? Then yes, it will show.
HTTPS can’t be proxied, so you can’t achieve the same result. HTTPS is encrypted.

eng2alaa · November 15, 2017, 9:48am

Thanks normis for your response.
Yes, logging is active and write on disk and remotely but for example if you request cnn.com it display on log screen >>
Time: Nov 15 11:29:15
IP: 192.168.1.2
Host: web-proxy,account
Facility:
Priority:
Tag:
Message: 192.168.1.99 GET http://cdn.cnn.com/cnnnext/dam/assets/171114072319-libya-smugglers-slave-trade-tripoli-medium-tease.jpg action=allow cache=MISS
<<<
But when you request facebook.com, google.com, youtube.com, etc. there is no thing appear on log because all become “https”

normis · November 15, 2017, 10:13am

Yes it’s true. HTTPS is encrypted so you can’t trace it. This is the purpose of HTTPS

eng2alaa · November 15, 2017, 10:54am

Ok, I understand now. is there is a expert way to trace the encrypted HTTPS requests?
because I want to record all breached roles.

normis · November 15, 2017, 10:55am

This is not possible

eng2alaa · November 15, 2017, 11:02am

Thank you very much Normis

troffasky · November 15, 2017, 4:12pm

I have to disagree here. As an example, Squid logs the hostname that it proxied the connection to along with the number of bytes transferred.

eng2alaa · November 16, 2017, 7:13am

Hi troffasky,

Could you please give me notes about squid logs to Monitoring of web searches and video viewing by employees especially “https”.

normis · November 16, 2017, 7:16am

For http yes. How is the squid transparently proxying https without the end user getting problems?

troffasky · November 16, 2017, 4:30pm

Do you want to break the SSL connection? The only thing you’ll get with HTTPS [edit: if you’re explicitly proxying it] is the hostname that the connection was proxied to and the number of bytes transferred.

1510849421.345   2610 192.168.1.3 TCP_TUNNEL/200 9926 CONNECT i.mt.lv:443 - HIER_DIRECT/2a02:610:7501:1000::197 -
1510849423.908   6511 192.168.1.3 TCP_TUNNEL/200 9417 CONNECT wiki.mikrotik.com:443 - HIER_DIRECT/2a02:610:7501:1000::201 -
1510849423.931   7546 192.168.1.3 TCP_TUNNEL/200 114953 CONNECT wiki.mikrotik.com:443 - HIER_DIRECT/2a02:610:7501:1000::201 -

troffasky · November 16, 2017, 4:34pm

Having re-read the thread, I have misunderstood. I had assumed the OP was using an explicit proxy not a transparent one.

troffasky · November 16, 2017, 4:39pm

You can monitor encrypted traffic but there are legal and technical obstacles. You need to a) work out if it’s legal where you are b) get the monitored devices to trust a certificate that you can re-encrypt their traffic with.

reinerotto · November 19, 2017, 4:44pm

I have to disagree here. You can get the same info for transparently proxied https, using squid.
However, configuring “splice/bump” for this is non-trivial.