Email user signon history

jobus · Postby **jobus** » Fri Mar 11, 2011 2:29 am

Hi
I need to see the signon history of an email user. I know "omshowu -n authentication-id" gives you a Last Signon date and time, but I need to find a history of logins. Employer is stating that he never was told about his email credentials and thus is refusing to except liability. He has signed on now but I need to see a more historic list.

Regards

Joe

Valerion · Postby **Valerion** » Mon Mar 14, 2011 7:07 am

If you have auditing enabled you will get messages like:

user-signon
time 1300100192 Mon Mar 14 12:56:32 2011 +120
user-agent-id Outlook 12.0.6550.0 - Scalix Connect for Microsoft Outlook 11.4.6.9214
client-type 15
client-ip 127.0.0.1
user 103 <REMOVED> 500 500
signon-status 0

in your audit log. However, you need to enable this first, it's not on by default.

jobus · Postby **jobus** » Mon Mar 14, 2011 8:02 am

Thank you for your reply. Currently my Audit Log's statuses are as follows:

Service Router 0
Local Delivery 0
Internet Mail Gateway 0
Local Client Interface 0
Remote Client Interface 0
Administration 0
Request Server 0
Directory Synchronization 0
Bulletin Board Server 0
Background Search Service 0
POP3 interface 11
Omscan Server 0
Archiver 0

Which one should be On and at what Level?

Valerion · Postby **Valerion** » Mon Mar 14, 2011 9:16 am

Remote Client Interface, IIRC. I don't have access to a server right now. I normally set mine to 15, but that's WAY overkill.

mikethebike · Postby **mikethebike** » Mon Mar 14, 2011 9:18 am

You would need remote client set to 9
omconfaud rci 9

That will only start logging info from the time you set it.

I seem to remember you can check what the vearious levels log by looking at the ~/sys/audit.cfg file...but do not change anything in that file

Mick

jobus · Postby **jobus** » Mon Mar 14, 2011 9:33 am

Is RCI not just for Browse/Webmail access? Would you not also have LCI on for users accessing through mail clients?

Valerion · Postby **Valerion** » Mon Mar 14, 2011 10:32 am

Local Client Interface is for clients running on the local machine (omlogon, omsend, etc). Remote Client Interface is for all UAL (Outlook) and IMAP connections. SWA uses IMAP as well. The POP3 Interface handles POP3 connections.

jobus · Postby **jobus** » Mon Mar 14, 2011 10:36 am

Thanks a lot Valerion and Mike.

ls-al · Postby **ls-al** » Tue Mar 15, 2011 5:28 pm

Valerion wrote:Local Client Interface is for clients running on the local machine (omlogon, omsend, etc). Remote Client Interface is for all UAL (Outlook) and IMAP connections. SWA uses IMAP as well. The POP3 Interface handles POP3 connections.

slight correction: even omlogon/omsend will go through RCI. They need a hostname. omtidy* is using LCI.

Stunnel users like Valerion will have to correlate the audit log with the stunnel logs (e.g. /var/log/secure) to see the originating IP.

And a standard hint: If you turn on audit, take care of rotating the log, for example by using sxmaint.

jobus · Postby **jobus** » Wed Mar 16, 2011 2:18 am

Thanks, ls-al

Scalix Forums

Email user signon history

Email user signon history

Re: Email user signon history

Re: Email user signon history

Re: Email user signon history

Re: Email user signon history

Re: Email user signon history

Re: Email user signon history

Re: Email user signon history

Re: Email user signon history

Re: Email user signon history

Who is online