Difference between revisions of "HowTos/Using the Audit logging"
From Scalix Wiki
| (25 intermediate revisions by 3 users not shown) | |||
| Line 1: | Line 1: | ||
| + | [[Scalix Wiki]] -> [[How-Tos]] -> '''Using the Audit logging''' | ||
| + | |||
'''Introduction''' | '''Introduction''' | ||
| Line 6: | Line 8: | ||
| + | '''Overview''' | ||
| + | The whole audit logging setup is configured through the file: | ||
| − | '' | + | ''/var/opt/scalix/*/s/sys/audit.cfg'' |
| + | In this file, you specify what activities are logged and for what Audit level they are logged | ||
| − | The | + | The commands for setting up Audit level logging are: |
| + | ''omshowaud'' - to show the current settings | ||
| − | '' | + | ''omconfaud'' - to configure the settings |
| − | + | If you want SWA sign-ons to show in audit logging, you have to set audit logging for the imap daemon, RCI logging won't show SWA (or other IMAP | |
| + | client) logins: | ||
| + | ''omconfaud -a imap 9'' | ||
| − | |||
| + | You can enable Audit logging on the various parts of Scalix. To see the complete list, | ||
| − | + | simply issue an ''omshowaud:'' | |
| − | + | ''$ omshowaud (shows services)'' | |
| + | Service Router 0 | ||
| + | Local Delivery 0 | ||
| + | Internet Mail Gateway 0 | ||
| + | Local Client Interface 0 | ||
| + | Remote Client Interface 0 | ||
| + | Administration 0 | ||
| + | Request Server 0 | ||
| + | Directory Synchronization 0 | ||
| + | Bulletin Board Server 0 | ||
| + | Background Search Service 0 | ||
| + | POP3 interface 0 | ||
| + | Omscan Server 0 | ||
| + | Archiver 0 | ||
| − | + | ''$ omshowaud -a (shows the background daemon)'' | |
| − | + | PC Monitor 0 | |
| + | Directory Relay Server 0 | ||
| + | Notification Server 0 | ||
| + | Shared memory daemon 0 | ||
| + | Notification Monitor 0 | ||
| + | Session Monitor 0 | ||
| + | Indexer 0 | ||
| + | Stats Daemon 0 | ||
| + | Container Access Monitor 0 | ||
| + | Item Structure Server 0 | ||
| + | Database Monitor 0 | ||
| + | Licence Monitor Daemon 0 | ||
| + | LDAP Daemon 0 | ||
| + | Queue Manager 0 | ||
| + | Item Delete Daemon 0 | ||
| + | IMAP Server Daemon 11 | ||
| + | SMTP Relay 13 | ||
| + | Mime Browser Controller 0 | ||
| + | Event Server 0 | ||
| + | Milter Server 0 | ||
| + | By default, everything is turned off! To see what information you get at the various levels you | ||
| + | must look at the ''audit.cfg'' file. | ||
| − | |||
| − | + | '''audit.cfg''' | |
| − | + | The entries in this file are grouped for each part of Scalix that knows about Audit logging. | |
| − | + | The first trick is working out the mapping between the part number within this ''audit.cfg'' file | |
| + | and the part name as specified in the ''omconfaud'' command. | ||
| − | + | The section commented as ''service router'' is pretty obvious, but how can you tell which | |
| + | sections relate to ''Remote Client Interface''? When you look in the ''audit.cfg'' file you do | ||
| + | not see any section called ''Remote Client Interface''...you see sections called ''user-signon'' | ||
| + | and ''user-signoff''. Indeed this had confused people for so long that we added an | ||
| + | extra file ''audit.map'' which shows these mappings. | ||
| − | + | It looks something like this: | |
| − | Administration | + | '$ cat ~scalix/*/s/sys/audit.map |
| + | # | ||
| + | # $Id: audit.map,v 1.2 2002/11/26 14:47:13 gren Exp $ | ||
| + | # | ||
| + | # This file maps entries in ~/sys/audit.cfg (1st col) to services (2nd col) | ||
| + | # | ||
| + | 1 2 # 'routing' to Service Router | ||
| + | 2 11 # 'omscan' to Administration | ||
| + | 3 8 # 'user-signon' to Local Client Interface | ||
| + | 3 9 # 'user-signon' to Remote Client Interface | ||
| + | 3 25 # 'user-signon' to P7 Client Interface | ||
| + | 4 8 # 'user-signoff' to Local Client Interface | ||
| + | 4 9 # 'user-signoff' to Remote Client Interface | ||
| + | 4 25 # 'user-signoff' to P7 Client Interface | ||
| + | 5 11 # 'subsystem-start' to Administration | ||
| + | 6 11 # 'subsystem-stop' to Administration | ||
| + | 7 16 # 'fax' to Fax Gateway | ||
| + | 8 3 # 'delivery' to Local Delivery | ||
| + | 9 18 # 'request' to Request Server | ||
| + | 10 4 # 'unix-in' to Internet Mail Gateway | ||
| + | 11 4 # 'unix-out' to Internet Mail Gateway | ||
| + | 12 6 # 'desk-in' to HPDesk Gateway | ||
| + | 13 6 # 'desk-out' to HPDesk Gateway | ||
| + | 14 5 # 'x400-in' to X400 Interface | ||
| + | 15 5 # 'x400-out' to X400 Interface | ||
| + | 16 24 # 'dirsync-in' to Directory Synchronization | ||
| + | 17 24 # 'dirsync-out' to Directory Synchronization | ||
| + | 18 26 # 'bulletin' to Bulletin Board Server | ||
| + | 19 29 # 'sms-out' to SMS Gateway | ||
| + | 20 29 # 'sms-in' to SMS Gateway | ||
| − | + | The next trick is to understand what parts of the ''audit.cfg'' file you can change and what parts | |
| + | are fixed: | ||
| − | + | The file format is as follows: | |
| − | + | # service router <----------------- Descriptive comment | |
| + | % 1 routing ~/logs/audit <-------- output... | ||
| + | 1 time 1 | ||
| + | 2 type 5 | ||
| + | 3 ua-message-id 1 | ||
| + | 4 ua-ack-id 3 <-------- The audit level that... | ||
| + | ^ ^ | ||
| + | | | | ||
| + | | -------text to be output | ||
| + | -------The Unique ID | ||
| − | + | You can change: | |
| − | + | • The text to be output | |
| − | + | • The output file name | |
| + | • The Audit level that produces this output | ||
| − | + | ...that’s all! | |
| + | As an example of the kind of things you can set up, here’s an extract of the ''audit.cfg'' file: | ||
| − | ' | + | # Copyright (C) 2003 Scalix Corporation. All rights reserved. |
| + | # (c) Copyright Hewlett-Packard Company 1989-1996. All Rights Reserved. | ||
| + | # | ||
| + | # @(#) $RCSfile: audit.cfg,v $ | ||
| + | # | ||
| + | # ********************************************************************* | ||
| + | # * If Scalix is running, then after editing this file, execute * | ||
| + | # * the command : * | ||
| + | # * 'omconfsm -f audit.cfg' * | ||
| + | # ********************************************************************* | ||
| + | # | ||
| + | # Default audit.cfg configuration file. Only the audit log filenames and the | ||
| + | # audit logging levels (the last number on each line) are administrator- | ||
| + | # configurable. Use omconfaud for normal audit configuration. | ||
| + | # | ||
| + | # Do not localise this file. Localise the scripts that read the audit log | ||
| + | # file instead. | ||
| + | # | ||
| + | # Field names should be less than 30 characters long. | ||
| + | # | ||
| + | # service router | ||
| + | % 1 routing ~/logs/audit | ||
| + | 1 time 1 | ||
| + | 2 type 5 | ||
| + | 3 ua-message-id 1 | ||
| + | 4 ua-ack-id 3 | ||
| + | 5 mta-message-id 1 | ||
| + | 6 mta-ack-id 3 | ||
| + | 10 subject 11 | ||
| + | 20 sensitivity 7 | ||
| + | 21 priority 7 | ||
| + | 22 importance 7 | ||
| + | 23 created-locally 7 | ||
| + | 30 originator 9 | ||
| + | 35 designate-originator 9 | ||
| + | 40 part-type 11 | ||
| + | 41 part-size 11 | ||
| + | 42 message-size 5 | ||
| + | 43 part-count 11 | ||
| + | 45 hop-count 7 | ||
| + | 50 recipient-from 9 | ||
| + | 51 recipient-to 9 | ||
| + | 52 recipient-cc 9 | ||
| + | 53 recipient-bcc 9 | ||
| + | 60 ack-req 7 | ||
| + | 61 message-filter-info 9 | ||
| + | 62 virus-cleaned 1 | ||
| + | 63 virus-uncleaned 1 | ||
| + | 70 queue 9 | ||
| + | 80 delivered-count 7 | ||
| + | 91 orig-recip 7 | ||
| + | 92 new-recip 7 | ||
| + | 95 non-delivery-reason 7 | ||
| + | 96 all-recips-non-deliv 7 | ||
| + | 98 max-nest-depth 11 | ||
| + | # omscan | ||
| + | % 2 omscan ~/logs/audit | ||
| + | 1 time 1 | ||
| + | 10 user 5 | ||
| + | 20 tray 7 | ||
| + | 30 user-messages 7 | ||
| + | 40 user-size 5 | ||
| + | 70 bb-area-messages 3 | ||
| + | 80 bb-area-size 3 | ||
| + | 90 duration 9 | ||
| + | # user-agent signon | ||
| + | % 3 user-signon ~/logs/audit | ||
| + | 1 time 1 | ||
| + | 10 user-agent-id 7 | ||
| + | 20 user 1 | ||
| + | 22 designate-user 1 | ||
| + | 23 delegate-user 1 | ||
| + | 24 mboxadmin-authenticator 1 | ||
| + | 25 client-type 9 | ||
| + | 30 signon-status 1 | ||
| + | 35 referral-host 1 | ||
| + | 40 client-ip 1 | ||
| + | # user-agent signoff-status 5 | ||
| + | ... | ||
| − | + | '''Example Output''' | |
| − | + | Here is an example of a person signing on: | |
| + | |||
| + | user-signon | ||
| + | time 1243340135 Tue May 26 13:15:35 2009 +60 | ||
| + | user-agent-id IMAP4 Server 11.4.4.12863 | ||
| + | client-type 14 | ||
| + | client-ip 10.11.108.216 | ||
| + | user 297 Martin Mustermann/uk,lab/CN=Martin Mustermann 9113 9113 | ||
| + | signon-status 0 | ||
| + | |||
| + | Here is an example of the Router logging at level 11: | ||
| + | |||
| + | routing | ||
| + | time 1243340145 Tue May 26 13:15:45 2009 +60 | ||
| + | type 1 reply | ||
| + | priority 0 normal | ||
| + | sensitivity 0 normal | ||
| + | importance 0 normal | ||
| + | created-locally 0 | ||
| + | hop-count 1 | ||
| + | subject RE: Inovativ in NL | ||
| + | ua-message-id 61E9B3368F843D41A17C835EE08653873DE4035F50(a)srv03 | ||
| + | mta-message-id 61E9B3368F843D41A17C835EE08653873DE4035F50(a)srv03 | ||
| + | ua-ack-id LDD16FEE33B394704890CD8C239A5F863.1243319145.testmail.xandros.com | ||
| + | originator Erwin.Musterman / internet DDT1=RFC-822; DDV1=Erwin.Mustermann@mustermann.nl; | ||
| + | part-size 368 | ||
| + | part-type 1166 DISTRIBUTION LIST | ||
| + | part-size 4121 | ||
| + | part-type 1167 TEXT | ||
| + | part-size 34812 | ||
| + | part-type 2133 HTML | ||
| + | part-size 4579 | ||
| + | part-type 1607 GIF | ||
| + | recipient-to Victoria Mustermann / scalix, scalix/CN=Victoria.mustermann | ||
| + | ack-req 0 none | ||
| + | queue SMINTFC:scalix@testmail.xandros.com | ||
| + | max-nest-depth 0 | ||
| + | message-size 47543 | ||
| + | part-count 4 | ||
| + | delivered-count 1 | ||
| + | |||
| + | Here is an example of a person signing-off: | ||
| + | |||
| + | user-signoff | ||
| + | time 1243340279 Tue May 26 13:17:59 2009 +60 | ||
| + | user 168 Martin Mustermann/uk,lab/CN=Martin Mustermann | ||
| + | duration 191 | ||
| + | signoff-status 0 | ||
| + | |||
| + | |||
| + | Here is an example of an email sent to the outside world | ||
| + | |||
| + | SMTP-Relay | ||
| + | time 1244022249 Wed Jun 3 10:44:09 2009 +60 | ||
| + | originator gregor.hoener@xandros.com | ||
| + | originator-domain mail.uk.scalix.com | ||
| + | authenticated-as Gregor_Hoener@mail.uk.scalix.com | ||
| + | recipient gregorhoener@yahoo.co.uk | ||
| + | recipient-target U | ||
| + | mta-message-id : <2078851746.221244022249720.JavaMail.root@mail.uk.scalix.com> | ||
| + | message-size 706 | ||
| + | hop-count 0 | ||
| + | summary-target U | ||
| + | |||
| + | unix-in | ||
| + | time 1244022249 Wed Jun 3 10:44:09 2009 +60 | ||
| + | originator <gregor.hoener@xandros.com> | ||
| + | unix-message-id 2078851746.221244022249720.JavaMail.root@mail.uk.scalix.com | ||
| + | ua-message-id 2078851746.221244022249720.JavaMail.root(a)mail.uk.scalix.com | ||
| + | subject TEST No. 2 | ||
| + | recipient-to gregorhoener / internet DDT1=RFC-822; DDV1=gregorhoener@yahoo.co.uk; <gregorhoener@yahoo.co.uk> | ||
| + | |||
| + | routing | ||
| + | time 1244022249 Wed Jun 3 10:44:09 2009 +60 | ||
| + | type 0 message | ||
| + | priority 0 normal | ||
| + | sensitivity 0 normal | ||
| + | importance 0 normal | ||
| + | created-locally 0 | ||
| + | hop-count 1 | ||
| + | ua-message-id 2078851746.221244022249720.JavaMail.root(a)mail.uk.scalix.com | ||
| + | mta-message-id 2078851746.221244022249720.JavaMail.root(a)mail.uk.scalix.com | ||
| + | subject TEST No. 2 | ||
| + | originator Gregor Hoener / uk, lab/CN=Gregor Hoener | ||
| + | part-size 562 | ||
| + | part-type 1166 DISTRIBUTION LIST | ||
| + | part-size 19 | ||
| + | part-type 1167 TEXT | ||
| + | recipient-to gregorhoener / internet DDT1=RFC-822; DDV1=gregorhoener@yahoo.co.uk; | ||
| + | ack-req 0 none | ||
| + | queue UNIX:MIME | ||
| + | max-nest-depth 0 | ||
| + | message-size 2172 | ||
| + | part-count 2 | ||
| + | delivered-count 1 | ||
| + | |||
| + | unix-out | ||
| + | time 1244022249 Wed Jun 3 10:44:09 2009 +60 | ||
| + | hop-count 1 | ||
| + | type 0 | ||
| + | ua-message-id 2078851746.221244022249720.JavaMail.root(a)mail.uk.scalix.com | ||
| + | unix-message-id 2078851746.221244022249720.JavaMail.root@mail.uk.scalix.com | ||
| + | mta-message-id 2078851746.221244022249720.JavaMail.root@mail.uk.scalix.com | ||
| + | subject TEST No. 2 | ||
| + | originator Gregor Hoener / uk, lab/CN=Gregor Hoener <gregor.hoener@xandros.com> | ||
| + | recipient-to gregorhoener / internet DDT1=RFC-822; DDV1=gregorhoener@yahoo.co.uk; <gregorhoener@yahoo.co.uk> | ||
| + | |||
| + | Here is an example of an email comes in from the outside | ||
| + | |||
| + | SMTP-Relay | ||
| + | time 1244025282 Wed Jun 3 11:34:42 2009 +60 | ||
| + | originator scalix@relay1.xandros.com | ||
| + | originator-domain relay1.xandros.com | ||
| + | recipient scalix@mail.uk.scalix.com | ||
| + | recipient-target X | ||
| + | mta-message-id : 394426.20607.qm(a)web24401.mail.ird.yahoo.com | ||
| + | message-size 5961 | ||
| + | hop-count 1 | ||
| + | summary-target X | ||
| + | |||
| + | routing | ||
| + | time 1244025283 Wed Jun 3 11:34:43 2009 +60 | ||
| + | type 0 message | ||
| + | priority 0 normal | ||
| + | sensitivity 0 normal | ||
| + | importance 0 normal | ||
| + | created-locally 0 | ||
| + | hop-count 2 | ||
| + | ua-message-id 394426.20607.qm(a)web24401.mail.ird.yahoo.com | ||
| + | mta-message-id 394426.20607.qm(a)web24401.mail.ird.yahoo.com | ||
| + | subject TEST 3 | ||
| + | originator gregorhoener / internet DDT1=RFC-822; DDV1=gregorhoener@yahoo.co.uk; | ||
| + | part-size 366 | ||
| + | part-type 1166 DISTRIBUTION LIST | ||
| + | part-size 10 | ||
| + | part-type 1167 TEXT | ||
| + | part-size 214 | ||
| + | part-type 2133 HTML | ||
| + | recipient-to Gregor Hoener / uk, lab/CN=Gregor Hoener | ||
| + | ack-req 0 none | ||
| + | queue LOCAL | ||
| + | max-nest-depth 0 | ||
| + | message-size 3643 | ||
| + | part-count 3 | ||
| + | delivered-count 1 | ||
| + | |||
| + | delivery | ||
| + | time 1244025283 Wed Jun 3 11:34:43 2009 +60 | ||
| + | priority 0 normal | ||
| + | sensitivity 0 normal | ||
| + | importance 0 normal | ||
| + | type 0 message | ||
| + | ua-message-id 394426.20607.qm(a)web24401.mail.ird.yahoo.com | ||
| + | mta-message-id 394426.20607.qm(a)web24401.mail.ird.yahoo.com | ||
| + | create-time 1244025230 Wed Jun 3 11:33:50 2009 +60 | ||
| + | subject TEST 3 | ||
| + | originator gregorhoener / internet DDT1=RFC-822; DDV1=gregorhoener@yahoo.co.uk; | ||
| + | recipient-to Gregor Hoener / uk, lab/CN=Gregor Hoener | ||
| + | delivered-count 1 | ||
| + | |||
| + | |||
| + | |||
| + | '''Analyzing Audit Log Output''' | ||
| + | |||
| + | By default, all audit logs are written to the file ''~/logs/audit'' and this is a simple | ||
| + | text file. You can change this behaviour by editing ''audit.cfg'' so that various parts output to | ||
| + | different files - it depends on how you intend to work with it. If you intend to write scripts to | ||
| + | take this output you might find it easier to work with one file or with many files. It’s up to you. | ||
| + | But, assuming the default where everything is writing to is ''~/logs/audit'', this makes it a | ||
| + | great real-time troubleshooting tool. You can set up your audit logging levels and then set up a | ||
| + | window that is doing a tail -f on the ''~/logs/audit'' file. Now when you send your test | ||
| + | message you see it actually logging in the audit log as it happens. | ||
| + | This can be very good when trying to troubleshoot gateway problems, where you want to see if | ||
| + | the message was actually sent from Scalix (or received). Also, for Directory or Public-Folder | ||
| + | synchronisation, this is very useful, as you can see messages going out/in the system(s). | ||
| + | |||
| + | '''Age the Scalix audit log''' | ||
| + | |||
| + | The Scalix audit log (''/var/opt/scalix/*/s/logs/audit'') should be aged on a daily basis. | ||
| + | Check-out the man page for sxmaint for more information | ||
| + | |||
| + | This is an example for a typically cron: | ||
| + | |||
| + | |||
| + | minute hour monthday month weekday command | ||
| + | 00,30 * * * * /opt/scalix/bin/sxmaint -frequent | ||
| + | 01 0 * * * /opt/scalix/bin/sxmaint -daily | ||
| + | 15 2 * * 0 /opt/scalix/bin/sxmaint -weekly | ||
| + | |||
| + | [[Category:Howto-Core]] | ||
| + | [[Category:Reviewed2016]] | ||
Latest revision as of 15:50, 29 September 2016
Scalix Wiki -> How-Tos -> Using the Audit logging
Introduction
Audit level logging was originally implemented so that Scalix administrators could extract accounting information. They could determine how often people were logging on, for how long, etc., in order to bill for connection time. The actual output of the Audit logs is pretty basic, but there are already a number of people who have written scripts to take this output and produce PC-format files that can be fed into graphics packages to produce lovely statistics of message pass-through rates etc..
Although originally written with accounting in mind, Audit logging should not be overlooked as a debugging/troubleshooting tool. Indeed, you should consider using Audit logging as your first mechanism when trying to see what’s happening on the system.
Overview
The whole audit logging setup is configured through the file:
/var/opt/scalix/*/s/sys/audit.cfg
In this file, you specify what activities are logged and for what Audit level they are logged
The commands for setting up Audit level logging are:
omshowaud - to show the current settings
omconfaud - to configure the settings
If you want SWA sign-ons to show in audit logging, you have to set audit logging for the imap daemon, RCI logging won't show SWA (or other IMAP
client) logins:
omconfaud -a imap 9
You can enable Audit logging on the various parts of Scalix. To see the complete list,
simply issue an omshowaud:
$ omshowaud (shows services)
Service Router 0 Local Delivery 0 Internet Mail Gateway 0 Local Client Interface 0 Remote Client Interface 0 Administration 0 Request Server 0 Directory Synchronization 0 Bulletin Board Server 0 Background Search Service 0 POP3 interface 0 Omscan Server 0 Archiver 0
$ omshowaud -a (shows the background daemon)
PC Monitor 0 Directory Relay Server 0 Notification Server 0 Shared memory daemon 0 Notification Monitor 0 Session Monitor 0 Indexer 0 Stats Daemon 0 Container Access Monitor 0 Item Structure Server 0 Database Monitor 0 Licence Monitor Daemon 0 LDAP Daemon 0 Queue Manager 0 Item Delete Daemon 0 IMAP Server Daemon 11 SMTP Relay 13 Mime Browser Controller 0 Event Server 0 Milter Server 0
By default, everything is turned off! To see what information you get at the various levels you must look at the audit.cfg file.
audit.cfg
The entries in this file are grouped for each part of Scalix that knows about Audit logging.
The first trick is working out the mapping between the part number within this audit.cfg file and the part name as specified in the omconfaud command.
The section commented as service router is pretty obvious, but how can you tell which sections relate to Remote Client Interface? When you look in the audit.cfg file you do not see any section called Remote Client Interface...you see sections called user-signon and user-signoff. Indeed this had confused people for so long that we added an extra file audit.map which shows these mappings.
It looks something like this:
'$ cat ~scalix/*/s/sys/audit.map
#
# $Id: audit.map,v 1.2 2002/11/26 14:47:13 gren Exp $
#
# This file maps entries in ~/sys/audit.cfg (1st col) to services (2nd col)
#
1 2 # 'routing' to Service Router
2 11 # 'omscan' to Administration
3 8 # 'user-signon' to Local Client Interface
3 9 # 'user-signon' to Remote Client Interface
3 25 # 'user-signon' to P7 Client Interface
4 8 # 'user-signoff' to Local Client Interface
4 9 # 'user-signoff' to Remote Client Interface
4 25 # 'user-signoff' to P7 Client Interface
5 11 # 'subsystem-start' to Administration
6 11 # 'subsystem-stop' to Administration
7 16 # 'fax' to Fax Gateway
8 3 # 'delivery' to Local Delivery
9 18 # 'request' to Request Server
10 4 # 'unix-in' to Internet Mail Gateway
11 4 # 'unix-out' to Internet Mail Gateway
12 6 # 'desk-in' to HPDesk Gateway
13 6 # 'desk-out' to HPDesk Gateway
14 5 # 'x400-in' to X400 Interface
15 5 # 'x400-out' to X400 Interface
16 24 # 'dirsync-in' to Directory Synchronization
17 24 # 'dirsync-out' to Directory Synchronization
18 26 # 'bulletin' to Bulletin Board Server
19 29 # 'sms-out' to SMS Gateway
20 29 # 'sms-in' to SMS Gateway
The next trick is to understand what parts of the audit.cfg file you can change and what parts are fixed:
The file format is as follows:
# service router <----------------- Descriptive comment
% 1 routing ~/logs/audit <-------- output...
1 time 1
2 type 5
3 ua-message-id 1
4 ua-ack-id 3 <-------- The audit level that...
^ ^
| |
| -------text to be output
-------The Unique ID
You can change:
• The text to be output
• The output file name
• The Audit level that produces this output
...that’s all!
As an example of the kind of things you can set up, here’s an extract of the audit.cfg file:
# Copyright (C) 2003 Scalix Corporation. All rights reserved.
# (c) Copyright Hewlett-Packard Company 1989-1996. All Rights Reserved.
#
# @(#) $RCSfile: audit.cfg,v $
#
# *********************************************************************
# * If Scalix is running, then after editing this file, execute *
# * the command : *
# * 'omconfsm -f audit.cfg' *
# *********************************************************************
#
# Default audit.cfg configuration file. Only the audit log filenames and the
# audit logging levels (the last number on each line) are administrator-
# configurable. Use omconfaud for normal audit configuration.
#
# Do not localise this file. Localise the scripts that read the audit log
# file instead.
#
# Field names should be less than 30 characters long.
#
# service router
% 1 routing ~/logs/audit
1 time 1
2 type 5
3 ua-message-id 1
4 ua-ack-id 3
5 mta-message-id 1
6 mta-ack-id 3
10 subject 11
20 sensitivity 7
21 priority 7
22 importance 7
23 created-locally 7
30 originator 9
35 designate-originator 9
40 part-type 11
41 part-size 11
42 message-size 5
43 part-count 11
45 hop-count 7
50 recipient-from 9
51 recipient-to 9
52 recipient-cc 9
53 recipient-bcc 9
60 ack-req 7
61 message-filter-info 9
62 virus-cleaned 1
63 virus-uncleaned 1
70 queue 9
80 delivered-count 7
91 orig-recip 7
92 new-recip 7
95 non-delivery-reason 7
96 all-recips-non-deliv 7
98 max-nest-depth 11
# omscan
% 2 omscan ~/logs/audit
1 time 1
10 user 5
20 tray 7
30 user-messages 7
40 user-size 5
70 bb-area-messages 3
80 bb-area-size 3
90 duration 9
# user-agent signon
% 3 user-signon ~/logs/audit
1 time 1
10 user-agent-id 7
20 user 1
22 designate-user 1
23 delegate-user 1
24 mboxadmin-authenticator 1
25 client-type 9
30 signon-status 1
35 referral-host 1
40 client-ip 1
# user-agent signoff-status 5
...
Example Output
Here is an example of a person signing on:
user-signon
time 1243340135 Tue May 26 13:15:35 2009 +60
user-agent-id IMAP4 Server 11.4.4.12863
client-type 14
client-ip 10.11.108.216
user 297 Martin Mustermann/uk,lab/CN=Martin Mustermann 9113 9113
signon-status 0
Here is an example of the Router logging at level 11:
routing
time 1243340145 Tue May 26 13:15:45 2009 +60
type 1 reply
priority 0 normal
sensitivity 0 normal
importance 0 normal
created-locally 0
hop-count 1
subject RE: Inovativ in NL
ua-message-id 61E9B3368F843D41A17C835EE08653873DE4035F50(a)srv03
mta-message-id 61E9B3368F843D41A17C835EE08653873DE4035F50(a)srv03
ua-ack-id LDD16FEE33B394704890CD8C239A5F863.1243319145.testmail.xandros.com
originator Erwin.Musterman / internet DDT1=RFC-822; DDV1=Erwin.Mustermann@mustermann.nl;
part-size 368
part-type 1166 DISTRIBUTION LIST
part-size 4121
part-type 1167 TEXT
part-size 34812
part-type 2133 HTML
part-size 4579
part-type 1607 GIF
recipient-to Victoria Mustermann / scalix, scalix/CN=Victoria.mustermann
ack-req 0 none
queue SMINTFC:scalix@testmail.xandros.com
max-nest-depth 0
message-size 47543
part-count 4
delivered-count 1
Here is an example of a person signing-off:
user-signoff
time 1243340279 Tue May 26 13:17:59 2009 +60
user 168 Martin Mustermann/uk,lab/CN=Martin Mustermann
duration 191
signoff-status 0
Here is an example of an email sent to the outside world
SMTP-Relay
time 1244022249 Wed Jun 3 10:44:09 2009 +60
originator gregor.hoener@xandros.com
originator-domain mail.uk.scalix.com
authenticated-as Gregor_Hoener@mail.uk.scalix.com
recipient gregorhoener@yahoo.co.uk
recipient-target U
mta-message-id : <2078851746.221244022249720.JavaMail.root@mail.uk.scalix.com>
message-size 706
hop-count 0
summary-target U
unix-in
time 1244022249 Wed Jun 3 10:44:09 2009 +60
originator <gregor.hoener@xandros.com>
unix-message-id 2078851746.221244022249720.JavaMail.root@mail.uk.scalix.com
ua-message-id 2078851746.221244022249720.JavaMail.root(a)mail.uk.scalix.com
subject TEST No. 2
recipient-to gregorhoener / internet DDT1=RFC-822; DDV1=gregorhoener@yahoo.co.uk; <gregorhoener@yahoo.co.uk>
routing
time 1244022249 Wed Jun 3 10:44:09 2009 +60
type 0 message
priority 0 normal
sensitivity 0 normal
importance 0 normal
created-locally 0
hop-count 1
ua-message-id 2078851746.221244022249720.JavaMail.root(a)mail.uk.scalix.com
mta-message-id 2078851746.221244022249720.JavaMail.root(a)mail.uk.scalix.com
subject TEST No. 2
originator Gregor Hoener / uk, lab/CN=Gregor Hoener
part-size 562
part-type 1166 DISTRIBUTION LIST
part-size 19
part-type 1167 TEXT
recipient-to gregorhoener / internet DDT1=RFC-822; DDV1=gregorhoener@yahoo.co.uk;
ack-req 0 none
queue UNIX:MIME
max-nest-depth 0
message-size 2172
part-count 2
delivered-count 1
unix-out
time 1244022249 Wed Jun 3 10:44:09 2009 +60
hop-count 1
type 0
ua-message-id 2078851746.221244022249720.JavaMail.root(a)mail.uk.scalix.com
unix-message-id 2078851746.221244022249720.JavaMail.root@mail.uk.scalix.com
mta-message-id 2078851746.221244022249720.JavaMail.root@mail.uk.scalix.com
subject TEST No. 2
originator Gregor Hoener / uk, lab/CN=Gregor Hoener <gregor.hoener@xandros.com>
recipient-to gregorhoener / internet DDT1=RFC-822; DDV1=gregorhoener@yahoo.co.uk; <gregorhoener@yahoo.co.uk>
Here is an example of an email comes in from the outside
SMTP-Relay
time 1244025282 Wed Jun 3 11:34:42 2009 +60
originator scalix@relay1.xandros.com
originator-domain relay1.xandros.com
recipient scalix@mail.uk.scalix.com
recipient-target X
mta-message-id : 394426.20607.qm(a)web24401.mail.ird.yahoo.com
message-size 5961
hop-count 1
summary-target X
routing
time 1244025283 Wed Jun 3 11:34:43 2009 +60
type 0 message
priority 0 normal
sensitivity 0 normal
importance 0 normal
created-locally 0
hop-count 2
ua-message-id 394426.20607.qm(a)web24401.mail.ird.yahoo.com
mta-message-id 394426.20607.qm(a)web24401.mail.ird.yahoo.com
subject TEST 3
originator gregorhoener / internet DDT1=RFC-822; DDV1=gregorhoener@yahoo.co.uk;
part-size 366
part-type 1166 DISTRIBUTION LIST
part-size 10
part-type 1167 TEXT
part-size 214
part-type 2133 HTML
recipient-to Gregor Hoener / uk, lab/CN=Gregor Hoener
ack-req 0 none
queue LOCAL
max-nest-depth 0
message-size 3643
part-count 3
delivered-count 1
delivery
time 1244025283 Wed Jun 3 11:34:43 2009 +60
priority 0 normal
sensitivity 0 normal
importance 0 normal
type 0 message
ua-message-id 394426.20607.qm(a)web24401.mail.ird.yahoo.com
mta-message-id 394426.20607.qm(a)web24401.mail.ird.yahoo.com
create-time 1244025230 Wed Jun 3 11:33:50 2009 +60
subject TEST 3
originator gregorhoener / internet DDT1=RFC-822; DDV1=gregorhoener@yahoo.co.uk;
recipient-to Gregor Hoener / uk, lab/CN=Gregor Hoener
delivered-count 1
Analyzing Audit Log Output
By default, all audit logs are written to the file ~/logs/audit and this is a simple text file. You can change this behaviour by editing audit.cfg so that various parts output to different files - it depends on how you intend to work with it. If you intend to write scripts to take this output you might find it easier to work with one file or with many files. It’s up to you. But, assuming the default where everything is writing to is ~/logs/audit, this makes it a great real-time troubleshooting tool. You can set up your audit logging levels and then set up a window that is doing a tail -f on the ~/logs/audit file. Now when you send your test message you see it actually logging in the audit log as it happens. This can be very good when trying to troubleshoot gateway problems, where you want to see if the message was actually sent from Scalix (or received). Also, for Directory or Public-Folder synchronisation, this is very useful, as you can see messages going out/in the system(s).
Age the Scalix audit log
The Scalix audit log (/var/opt/scalix/*/s/logs/audit) should be aged on a daily basis. Check-out the man page for sxmaint for more information
This is an example for a typically cron:
minute hour monthday month weekday command
00,30 * * * * /opt/scalix/bin/sxmaint -frequent
01 0 * * * /opt/scalix/bin/sxmaint -daily
15 2 * * 0 /opt/scalix/bin/sxmaint -weekly
