Page 1 of 1
Email user signon history
Posted: Fri Mar 11, 2011 2:29 am
by jobus
Hi
I need to see the signon history of an email user. I know "omshowu -n authentication-id" gives you a Last Signon date and time, but I need to find a history of logins. Employer is stating that he never was told about his email credentials and thus is refusing to except liability. He has signed on now but I need to see a more historic list.
Regards
Joe
Re: Email user signon history
Posted: Mon Mar 14, 2011 7:07 am
by Valerion
If you have auditing enabled you will get messages like:
user-signon
time 1300100192 Mon Mar 14 12:56:32 2011 +120
user-agent-id Outlook 12.0.6550.0 - Scalix Connect for Microsoft Outlook 11.4.6.9214
client-type 15
client-ip 127.0.0.1
user 103 <REMOVED> 500 500
signon-status 0
in your audit log. However, you need to enable this first, it's not on by default.
Re: Email user signon history
Posted: Mon Mar 14, 2011 8:02 am
by jobus
Thank you for your reply. Currently my Audit Log's statuses are as follows:
Service Router 0
Local Delivery 0
Internet Mail Gateway 0
Local Client Interface 0
Remote Client Interface 0
Administration 0
Request Server 0
Directory Synchronization 0
Bulletin Board Server 0
Background Search Service 0
POP3 interface 11
Omscan Server 0
Archiver 0
Which one should be On and at what Level?
Re: Email user signon history
Posted: Mon Mar 14, 2011 9:16 am
by Valerion
Remote Client Interface, IIRC. I don't have access to a server right now. I normally set mine to 15, but that's WAY overkill.
Re: Email user signon history
Posted: Mon Mar 14, 2011 9:18 am
by mikethebike
You would need remote client set to 9
omconfaud rci 9
That will only start logging info from the time you set it.
I seem to remember you can check what the vearious levels log by looking at the ~/sys/audit.cfg file...but do not change anything in that file
Mick
Re: Email user signon history
Posted: Mon Mar 14, 2011 9:33 am
by jobus
Is RCI not just for Browse/Webmail access? Would you not also have LCI on for users accessing through mail clients?
Re: Email user signon history
Posted: Mon Mar 14, 2011 10:32 am
by Valerion
Local Client Interface is for clients running on the local machine (omlogon, omsend, etc). Remote Client Interface is for all UAL (Outlook) and IMAP connections. SWA uses IMAP as well. The POP3 Interface handles POP3 connections.
Re: Email user signon history
Posted: Mon Mar 14, 2011 10:36 am
by jobus
Thanks a lot Valerion and Mike.
Re: Email user signon history
Posted: Tue Mar 15, 2011 5:28 pm
by ls-al
Valerion wrote:Local Client Interface is for clients running on the local machine (omlogon, omsend, etc). Remote Client Interface is for all UAL (Outlook) and IMAP connections. SWA uses IMAP as well. The POP3 Interface handles POP3 connections.
slight correction: even omlogon/omsend will go through RCI. They need a hostname. omtidy* is using LCI.
Stunnel users like Valerion will have to correlate the audit log with the stunnel logs (e.g. /var/log/secure) to see the originating IP.
And a standard hint: If you turn on audit, take care of rotating the log, for example by using sxmaint.
Re: Email user signon history
Posted: Wed Mar 16, 2011 2:18 am
by jobus
Thanks, ls-al