Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Reading logs (6.0.4)
  •  
bwaynet

Messages: 2
Karma: 0
Send a private message to this user
Hello,

We're an ISP and a client of ours without an IT staff has asked us to help cleanup their Kerio mail server (6.0.4, running on CentOS). It appears that some accounts have been brute-forced and they are being used as a spam relay on a fairly large scale. We're also looking to use this opportunity to evaluate Kerio as an option for our business clients that need something other than our own email hosting or Exchange.

I'm extremely well-versed with email in general, but not Kerio, and I'm having a hard time getting it to show me the information I need.

My first problem is the client required for administration (it appears this is the only way to adminster the server). In the "Logs" section, any log I select appears with totally garbled fonts (see attachment). If I select a line with the mouse, it's readable, but that's not totally practical due to the volume of logs involved.

I also see that there's an option to view the contents of the queue, but the client seems unable to handle the volume of messages in the queue. It starts using 100% CPU and remains unresponsive, even after letting it sit for over an hour.

Assuming I can somehow fix the log display, is there an easy way to simply get an overview of the following?

-All smtp-auth logins over a date range
-All user accounts that have logged in over the last X days (I found this for individual accounts, but did not find a way to get a summary of all users in all domains)
-Contents of the queue, sorted by sender or destination

And lastly, can I trust the contents of the .env files in the queue? The headers in these files do indicate that the spam was sent from an authenticated user, can I trust that this was not forged by the sender? An example:

<envelope>
  <id-time>1298460235</id-time>
  <id-seq>1224013</id-seq>
  <created>1298460242</created>
  <retry>0</retry>
  <auth-sender>tina<_at_>xxxrecords.com  </auth-sender> <<-- THIS LINE
  <sender>benjaminweack12<_at_>xxx.com</sender>
  <sender-ip>79.129.57.32</sender-ip>
  <flags></flags>
  <blacklist-score>0.0</blacklist-score>
[...]


I understand this is an old version, but no one is committed to an upgrade at this point. We want to evaluate the product we have first and then determine what the latest version offers beyond what they currently run.

  •  
ccjwells

Messages: 192
Karma: 0
Send a private message to this user
I would suggest reading the logs in your text editor of choice. The location should be something like this: /opt/kerio/mailserver/store/logs. However, I'm not sure all of the information you're looking for is recorded by default. Also, you're probably better off parsing (and emptying) the queue manually from the command line again with your tools of choice.

[Updated on: Mon, 25 April 2011 21:44]

  •  
bwaynet

Messages: 2
Karma: 0
Send a private message to this user
I'm digging around the manual now to see if there's any good info to be had there. Also my subject line is incorrect, it's 6.4.0, not 6.0.4...
  •  
MI

Messages: 16
Karma: 0
Send a private message to this user
Did anyone ever create a program, or web page, or something that would parse these log files, and stick them in a SQL database?

I just wish the log file delimiters were the same for all of the log files.
  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
Analysing log files is just as hard when the info is in a database. Kerio logs (almost) everything, but only you know if the log info is normal everyday activity or not. Use simple tools and know your trade.
Previous Topic: Kerio Connect - Ubuntu 11.04 64bit
Next Topic: 1 Domain & 2 LAN Mailservers
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sat Nov 18 19:03:22 CET 2017

Total time taken to generate the page: 0.00433 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.