|
|
Yes there is.
That number corresponds with the web user session entries in the logs.
Provided that your Session (Settings/Access/Session) log level is set to Majors & Failures you will be able to match up the item.
For example.
http://localhost:8100/Session/3-v7hTCUkpNrT8nrqUYZrC/frameset.wssp?
Session ID is #3
From the log
09:47:30.432 2 WEBUSER-000003(lolade) logged in(HTTP) from [127.0.0.1]:53290
Let me know what activity in webmail is giving you a problem in deciphering and I will gladly lend a hand.
Phil
On Jan 24, 2012, at 8:01 AM, Jeff Wark wrote:
> Short version:
> Is there any way to associate a webmail session ID [cluster based] such as
> 642898-X5NLTjVHRTD0FhGpaBgu-aodhhdz
> with a username in the logs?
>
> Long Version:
> I have set my server [5.2.19] to log my IP address at the debug level. When I login to the webmail, I cannot see an immediately obvious connection to the username. I do find this:
> 10:48:54.504 5 HTTPC-153558 out: POST /ProxyLogin/jwark@tbaytel.net/aodhhdz.html HTTP/1.1\r\nReferer: http://mail.tbaytel.net/?restoreSessionPage=.html\r\nCookie: __utma=192908911.2112433454.1274466685.1326812208.1327419163.57; __utmc=192908911; __utmz=192908911.1327419163.57.22.utmccn=(referral)|ut
> 10:48:55.156 5 HTTPU-153558([10.2.26.250]) out: HTTP/1.1 301 Moved\r\nContent-Length: 577\r\nConnection: close\r\nDate: Tue, 24 Jan 2012 15:48:55 GMT\r\nContent-Type: text/html;charset=utf-8\r\nServer: CommuniGatePro/5.2.19\r\nLocation: http://mail.tbaytel.net/Session/642898-X5NLTjVHRTD0FhGpaBgu-aod
>
> which mentions the username jwark in the HTTPC line and the session-ID in the HTTPU line [I have never seen an HTTPC entry as far as I can remember].
>
> The reason I am asking is because one of our accounts got compromised and got our mail server listed a phishtank.com. The URL listed there has a session-ID in it and I would like to be able to track down the account that was compromised. Since the session ID is in the URL, I think that it could only have been valid for at most 12 hours [our session limit], but I could be wrong. I would just like to associate it with an account. I guess this is more of a feature request...to see a line like:
> 10:56:17.414 2 HTTPU-620430([1.2.3.4]) 'jwark@tbaytel.net' linked from [1.2.3.4]:61563 to [10.1.1.106]:110 with Session-ID 642898-X5NLTjVHRTD0FhGpaBgu-aodhhdz
>
> That would give a direct link between an account and a session ID. I also do not want to log HTTP requests at "All Info" level. That level should be only for finding a problem and I cannot retroactively increase the log level.
>
> As a side note, I have always found it difficult to associate webmail sessions with other events in the logs. It is almost like there is a piece of information lacking in a record or something. I have no problem with any SMTP/POP/IMAP, but Webmail always gives me a problem.
>
> Thanks again.
>
> #############################################################
> This message is sent to you because you are subscribed to
> the mailing list <CGatePro@mail.stalker.com>.
> To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>
> To switch to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
> To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com>
> Send administrative queries to <CGatePro-request@mail.stalker.com>
CommuniGate Pro Training
If interested please contact sales@communigate.com
Learn more about Rich Internet Applications
http://www.communigate.com/pronto/
________________________________________________________
Philip Slater
Professional Services
CommuniGate Systems
p 1 415 383 7164 ext 201
p 1 800 262 4722 ext 201
f 1 415 383 7461
SIP & Email pslater@communigate.com
AIM: stalkersoftware
|
|