messagestore.xml draft

Joost van Baal joostvb at logreport.org
Thu Feb 7 17:39:29 CET 2002 

Hi Cedric,

I reply to the development list, so that other people can contribute.
Of course, I anonimized your log snippets.

On Thu, Feb 07, 2002 at 02:23:50PM +0100, gross, cedric wrote:
> This is first draft of the file :
>
<snip>
>
> <lire:field name="time"                type="timestamp"/>
> <lire:field name="remote_host"         type="hostname"/>
> <lire:field name="remote_ip"           type="ip"/>
> <lire:field name="downloaded_size"     type="bytes"/>
> <lire:field name="downloaded_message"  type="int"/>
> <lire:field name="stored_size"         type="bytes"/>
> <lire:field name="stored_message"      type="int"/>
> <lire:field name="username"            type="string"/>
>
<snip>
>

Thanks a lot!

The qpopper logfile shows lines like:

Jan 14 18:07:51.948 2002 [50648] Stats: cgross 0 0 0 0 XXX.161.230.141 
 XXX.161.230.141
Jan 14 18:09:49.680 2002 [50945] (v4.0.3) Unable to get canonical name of 
 client XXX.161.230.141: hostname nor servname provided, or not known (8)
Dec 22 01:59:51.236 2001 [48995] fhuitorel at XXX.161.230.141 
 (XXX.161.230.141): -ERR [AUTH] Password supplied for "fhuitorel" is incorrect.
Dec 22 01:59:51.236 2001 [48995] [AUTH] Failed attempted login to fhuitorel 
 from host (XXX.161.230.141) XXX.161.230.141

The courier-imap log show only lines like:

Feb  1 00:15:27 srv1 pop3d: LOGIN FAILED, ip=[::ffff:XXX.161.230.141]
Feb  1 00:16:58 srv1 pop3d: Connection, ip=[::ffff:XXX.8.54.164]
Feb  1 00:16:58 srv1 pop3d: LOGIN, user=cgross at example.com, 
 ip=[::ffff:XXX.8.54.164]
Feb  1 00:16:58 srv1 pop3d: LOGOUT, user=cgross at example.com, 
 ip=[::ffff:XXX.8.54.164], top=0, retr=0

We've been brainstorming about logs like these, and are thinking about defining
a login superservice for this.  The events happening are very similar to:

Feb  3 14:51:01 topaz sshd[11611]: Accepted password for hajo from 
 XXX.187.92.176 port 1225
Feb  3 14:51:11 topaz PAM_unix[11611]: (ssh) session closed for user hajo
Feb  3 15:42:24 topaz sshd[353]: Generating new 768 bit RSA key.
Feb  3 15:42:24 topaz sshd[353]: RSA key generation complete.
Feb  3 16:09:08 topaz sshd[14745]: fatal: Timeout before authentication for 
 XXX.218.153.179.
Feb  3 16:42:24 topaz sshd[353]: Generating new 768 bit RSA key.
Feb  3 16:42:25 topaz sshd[353]: RSA key generation complete.
Feb  3 17:54:28 topaz sshd[20712]: Accepted password for hajo from 
 XXX.187.92.176 port 1376
Feb  3 17:54:28 topaz PAM_unix[20712]: (ssh) session opened for user hajo by 
 (uid=0)
Feb  4 08:59:54 topaz su[2891]: + pts/3 root-mhonarc 
Feb  4 08:59:54 topaz PAM_unix[2891]: (su) session opened for user mhonarc by 
 root(uid=0)
Feb  6 23:12:53 topaz sshd[334]: Generating new 768 bit RSA key.
Feb  6 23:12:54 topaz sshd[334]: RSA key generation complete.
Feb  6 23:18:28 topaz sshd[9050]: fatal: Timeout before authentication for 
 XXX.83.60.20.
Feb  7 00:29:32 topaz sshd[13320]: WARNING: /etc/ssh/primes does not exist, 
 using old prime
Feb  7 00:29:37 topaz sshd[13320]: Accepted password for joost from 
 XXX.195.6.16 port 1119 ssh2

(an sshd, su, and pam logfile.)

When dealing with imap or pop logfiles, we could split it in a
login-style log file, and a pure messagestore logfile.  See e.g.
http://logreport.org/contact/lists/development/msg00438.php .  When
generating reports, we could merge the information extracted from the
two dlf's.  This would make it easy to show reports on failed
authentications too.

qpopper is http://www.eudora.com/qpopper/ , from Qualcomm, isn't it?
Ha! I found http://www.eudora.com/qpopper/faq.html#stats , now I
understand the log you've sent :)

 Stats: cgross 0 0 0 0 XXX.161.230.141 XXX.161.230.141

is

 Stats: username nof_msgs_deleted nof_bytes_in_deleted_msgs
  nof_msgs_left_on_server size_of_spool_left_on_server client_name
  client_ip

So, each line in the dlf format you propose would represent a
usersession.  I guess that's a sane thing to do for now.  In your
proposal there's no information about the authentication events, so I
feel that's ok for now, we could do the login support later.

I would like to add your messagestore.xml to our CVS, if that's ok with
you.  We could distribute it with next Lire release (or maybe the one
after the feb 14 release.)  However, before we can do this, we need to
know what you allow other users to do with it.  If you offer the code to
us under the GPL, the modified BSD license or any other GPL compatible
license, we are very happy to ship it with Lire, and maintain it.  You
can read the complete story in the "I wanna contribute code, and would
like it to get distributed as a part of Lire, what should I do,
license-wise?"-faq entry in service/doc/faq.dbx (typesetted on
http://logreport.org/pub/cvs-snapshots/lire-20020214-pre1/doc/faq/ ).

Bye,

Joost

-- 
Joost van Baal              . .           http://www.logreport.org/
                           .   .
/^LogReport$/               . .               joostvb at logreport.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.logreport.org/pipermail/development/attachments/20020207/7528dbbf/attachment.bin

More information about the Development mailing list