---------------------------- Original Message ---------------------------- Subject: RE: [Imap-uw] Failed logins in Debian 8 (old-stable) From: [email protected] Date: Fri, April 27, 2018 4:13 pm To: [email protected] --------------------------------------------------------------------------
Just realized that link doesn't work for me , below is what i was attempting to say....those <37> and <22> entries are the facility and severity levels being sent to syslog, would be interesting to see how yours compares. [root@www ~]# strace -vff -p $(pgrep inetd) -s100 -e trace=send 2>&1 | grep Login [pid 25619] send(2, "<37>Apr 27 16:11:12 imapd[25619]: Login failed user=badloginname auth=badloginname host=localhost [1"..., 109, MSG_NOSIGNAL) = 109 ^C [root@www ~]# strace -vff -p $(pgrep inetd) -s100 -e trace=send 2>&1 | grep Login [pid 25625] send(2, "<22>Apr 27 16:11:27 imapd[25625]: Login user=phillip host=localhost [127.0.0.1]", 79, MSG_NOSIGNAL) = 79 > Thanks! > > Ken > > -----Original Message----- > From: [email protected] [mailto:[email protected]] > Sent: Friday, April 27, 2018 3:33 PM > To: [email protected] > Subject: Re: [Imap-uw] Failed logins in Debian 8 (old-stable) > > Ken, i did some testing on my own and the below link shows my > testing...You > can see the facility & severity level being sent from inet > -> syslog of a failed & successfull login. (37) looks to be sent when a > failed login happens...(22) on a successfull one. > > http://deanengineering.us/paste/?f99faa4d9b9d27e4#ZkTMINq4V55AOC44vlJmL3Zyt9 > /CUFUvuhP1MHUSHWE= > > Hopefully this helps you , you can sniff the traffic being sent over the > socket using strace > >> Mats, >> >> Thanks for the helpful reply. >> >> On inspection, rsyslog.conf and the contents of rsyslog.d pre-date >> Debian 7. >> >> >> >> The messages with respect to successful ipop3d and imapd usage in >> mail.log are still present. Only the failed login messages, formerly >> in /var/log/auth.log, have gone missing. Anyone know of a way to spy >> on calls to syslog(3)? >> >> Thanks all, >> >> Ken >> >> >> >> -----Original Message----- >> From: Mats Dufberg [mailto:[email protected]] >> Sent: Monday, April 23, 2018 4:54 PM >> To: Ken Johnson >> Cc: [email protected] >> Subject: Re: [Imap-uw] Failed logins in Debian 8 (old-stable) >> >> On Apr 23, 2018, 12:30 (-0500) Ken Johnson <[email protected]> wrote: >> >>> Running uw-imap under Debian 8. Under Debian 7, failed logins would >>> show up in /var/log/auth.log. >>> >>> That no longer happens in Debian 8. >> >> Have you checked configuration of syslog, e.g. syslog.conf? imapd >> sends its log messages to syslog, and syslogd will save them into >> files. Enable logging of all facilities into different log files on >> INFO level to see where they go. >> >> >> Mats >> >> ----------------------------------------------------------------- >> | Mats Dufberg [email protected] | >> | Spånga kyrkväg 618 +46-8-384859 | >> | SE-16362 Spånga, Sweden +46-70-258 2588 | >> ----------------------------------------------------------------- >> >> _______________________________________________ >> Imap-uw mailing list >> [email protected] >> http://mailman13.u.washington.edu/mailman/listinfo/imap-uw >> > > > _______________________________________________ Imap-uw mailing list [email protected] http://mailman13.u.washington.edu/mailman/listinfo/imap-uw
