|
|
That is the most helpful piece of log scanning information I have received. I had no idea that was the correlation.
Did you find that in the documentation somewhere or did you discover it? If it is in the documentation, I believe I may have missed an interesting page. ;)
On 1/24/2012 12:51 PM, Philip Slater wrote:
Yes there is.
That number corresponds with the web user session entries in the logs.
Provided that your Session (Settings/Access/Session) log level is set to Majors& Failures you will be able to match up the item.
For example.
http://localhost:8100/Session/3-v7hTCUkpNrT8nrqUYZrC/frameset.wssp?
Session ID is #3
From the log
09:47:30.432 2 WEBUSER-000003(lolade) logged in(HTTP) from [127.0.0.1]:53290
Let me know what activity in webmail is giving you a problem in deciphering and I will gladly lend a hand.
Phil
On Jan 24, 2012, at 8:01 AM, Jeff Wark wrote:
Short version:
Is there any way to associate a webmail session ID [cluster based] such as
642898-X5NLTjVHRTD0FhGpaBgu-aodhhdz
with a username in the logs?
Long Version:
I have set my server [5.2.19] to log my IP address at the debug level. When I login to the webmail, I cannot see an immediately obvious connection to the username. I do find this:
10:48:54.504 5 HTTPC-153558 out: POST /ProxyLogin/jwark@tbaytel.net/aodhhdz.html HTTP/1.1\r\nReferer: http://mail.tbaytel.net/?restoreSessionPage=.html\r\nCookie: __utma=192908911.2112433454.1274466685.1326812208.1327419163.57; __utmc=192908911; __utmz=192908911.1327419163.57.22.utmccn=(referral)|ut
10:48:55.156 5 HTTPU-153558([10.2.26.250]) out: HTTP/1.1 301 Moved\r\nContent-Length: 577\r\nConnection: close\r\nDate: Tue, 24 Jan 2012 15:48:55 GMT\r\nContent-Type: text/html;charset=utf-8\r\nServer: CommuniGatePro/5.2.19\r\nLocation: http://mail.tbaytel.net/Session/642898-X5NLTjVHRTD0FhGpaBgu-aod
which mentions the username jwark in the HTTPC line and the session-ID in the HTTPU line [I have never seen an HTTPC entry as far as I can remember].
The reason I am asking is because one of our accounts got compromised and got our mail server listed a phishtank.com. The URL listed there has a session-ID in it and I would like to be able to track down the account that was compromised. Since the session ID is in the URL, I think that it could only have been valid for at most 12 hours [our session limit], but I could be wrong. I would just like to associate it with an account. I guess this is more of a feature request...to see a line like:
10:56:17.414 2 HTTPU-620430([1.2.3.4]) 'jwark@tbaytel.net' linked from [1.2.3.4]:61563 to [10.1.1.106]:110 with Session-ID 642898-X5NLTjVHRTD0FhGpaBgu-aodhhdz
That would give a direct link between an account and a session ID. I also do not want to log HTTP requests at "All Info" level. That level should be only for finding a problem and I cannot retroactively increase the log level.
As a side note, I have always found it difficult to associate webmail sessions with other events in the logs. It is almost like there is a piece of information lacking in a record or something. I have no problem with any SMTP/POP/IMAP, but Webmail always gives me a problem.
Thanks again.
#############################################################
This message is sent to you because you are subscribed to
the mailing list<CGatePro@mail.stalker.com>.
To unsubscribe, E-mail to:<CGatePro-off@mail.stalker.com>
To switch to the DIGEST mode, E-mail to<CGatePro-digest@mail.stalker.com>
To switch to the INDEX mode, E-mail to<CGatePro-index@mail.stalker.com>
Send administrative queries to<CGatePro-request@mail.stalker.com>
CommuniGate Pro Training
If interested please contact sales@communigate.com
Learn more about Rich Internet Applications
http://www.communigate.com/pronto/
________________________________________________________
Philip Slater
Professional Services
CommuniGate Systems
p 1 415 383 7164 ext 201
p 1 800 262 4722 ext 201
f 1 415 383 7461
SIP& Email pslater@communigate.com
AIM: stalkersoftware
#############################################################
This message is sent to you because you are subscribed to
the mailing list<CGatePro@mail.stalker.com>.
To unsubscribe, E-mail to:<CGatePro-off@mail.stalker.com>
To switch to the DIGEST mode, E-mail to<CGatePro-digest@mail.stalker.com>
To switch to the INDEX mode, E-mail to<CGatePro-index@mail.stalker.com>
Send administrative queries to<CGatePro-request@mail.stalker.com>
|
|