Request Logs

What are Request Logs?

Request logs capture a detailed record of every HTTP request that passes through any Horizon circuit in the project, regardless of whether the request was ultimately allowed through to the backend service or blocked by one of the security layers. This comprehensive logging is fundamental to the Zero Trust approach: visibility extends not only to traffic that reached the services, but also to traffic that was blocked and the corresponding reason. Each log entry represents a single HTTP request and includes metadata about the source, the destination, the outcome, and - where applicable - the identity of the authenticated user and the reason the request was blocked. These logs are invaluable for security auditing, incident investigation, usage analysis, performance monitoring, and troubleshooting.

Log Entry Fields

Each request log entry displays the following fields in the log table. The Timestamp indicates when the request was received by the Horizon proxy, formatted as YYYY-MM-DD HH:MM:SS. The Source IP is the originating IP address of the request, which may be the client's actual IP address or the IP of a proxy, VPN, or CDN through which the connection is routed. The Country is the ISO country code determined by geolocating the source IP address. The URL displays the request path (the portion of the URL after the domain). The Status Code is the HTTP response status code returned to the client. The Action indicates whether the request was Allowed (forwarded to the backend and a response returned) or Blocked (stopped at the proxy by a security rule). The User Email displays the authenticated user's email address, which is populated when the circuit's access policy requires authentication and the user successfully authenticated; it is empty for public circuits or for requests that were blocked before authentication occurred.

Expanded Details

Clicking on any log entry row expands it to reveal additional details that are not shown in the table columns. The expanded view includes the full Source IP address, the Country name (not just the ISO code), the Download Size (response body size in bytes, indicating how much data was sent back to the client), the Upload Size (request body size in bytes, indicating how much data the client sent), the full Timestamp, the authenticated User email (if applicable), the Block Reason (a description of why the request was blocked, such as "IP blacklisted," "Country blocked," or "Scanner detected" - this field is only present for blocked requests), and the Forward URL (the internal URL that the request was forwarded to on the backend service, which is only present for allowed requests). These expanded details are particularly useful for investigating specific requests, understanding why a request was blocked, and diagnosing issues with the backend service.

Filtering

The request logs view provides a comprehensive set of filters for locating specific entries in the log data. The Search field performs a free-text search across all fields, enabling rapid identification of entries matching a keyword, IP address, URL fragment, or email address. The Date Range filter restricts the view to entries within a specific time window, which is useful for investigating incidents that occurred during a known time period. The Country filter displays only entries from a specific originating country. The User filter restricts the view to entries associated with a specific authenticated user. The Action filter displays only Allowed or only Blocked entries, which is particularly useful for reviewing all blocked requests to identify potential attacks or misconfigured rules. All filters are applied on the client side and can be combined - for example, blocked requests from a specific country within a specific date range can be filtered simultaneously.

Sorting

Every column in the request logs table supports sorting. Clicking any column header sorts the table by that column in ascending order; clicking again switches to descending order. Sortable columns include Timestamp, Source IP, Country, URL, Status Code, Action, and User. Sorting is applied on top of any active filters - for example, blocked requests can be filtered and then sorted by timestamp to display them in chronological or reverse-chronological order.

Status Code Indicators

Status codes in the log table are color-coded for quick visual identification. Successful responses (2xx status codes like 200 OK) and redirects (3xx status codes like 301 Moved Permanently or 304 Not Modified) are displayed in green, indicating normal, healthy traffic. Client errors (4xx status codes like 403 Forbidden, 404 Not Found) and server errors (5xx status codes like 500 Internal Server Error, 502 Bad Gateway) are displayed in red, indicating issues that may warrant investigation. This color coding facilitates rapid identification of error patterns or anomalies when scanning the logs.