messagestore.xml draft

gross, cedric C.Gross at HAYWARD.FR
Thu Feb 7 17:49:15 CET 2002 


> De : Joost van Baal [mailto:joostvb at logreport.org]
> Envoye : jeudi 7 fevrier 2002 17:39
> Hi Cedric,
> 
> I reply to the development list, so that other people can contribute.
> Of course, I anonimized your log snippets.
> 
> On Thu, Feb 07, 2002 at 02:23:50PM +0100, gross, cedric wrote:
> > This is first draft of the file :
> >
> <snip>
> >
> > <lire:field name="time"                type="timestamp"/>
> > <lire:field name="remote_host"         type="hostname"/>
> > <lire:field name="remote_ip"           type="ip"/>
> > <lire:field name="downloaded_size"     type="bytes"/>
> > <lire:field name="downloaded_message"  type="int"/>
> > <lire:field name="stored_size"         type="bytes"/>
> > <lire:field name="stored_message"      type="int"/>
> > <lire:field name="username"            type="string"/>
> >
> <snip>
> >
> 
> Thanks a lot!
> 
> The qpopper logfile shows lines like:
> 
> Jan 14 18:07:51.948 2002 [50648] Stats: cgross 0 0 0 0 
> XXX.161.230.141 
>  XXX.161.230.141
> Jan 14 18:09:49.680 2002 [50945] (v4.0.3) Unable to get 
> canonical name of 
>  client XXX.161.230.141: hostname nor servname provided, or 
> not known (8)
> Dec 22 01:59:51.236 2001 [48995] fhuitorel at XXX.161.230.141 
>  (XXX.161.230.141): -ERR [AUTH] Password supplied for 
> "fhuitorel" is incorrect.
> Dec 22 01:59:51.236 2001 [48995] [AUTH] Failed attempted 
> login to fhuitorel 
>  from host (XXX.161.230.141) XXX.161.230.141
> 
> The courier-imap log show only lines like:
> 
> Feb  1 00:15:27 srv1 pop3d: LOGIN FAILED, ip=[::ffff:XXX.161.230.141]
> Feb  1 00:16:58 srv1 pop3d: Connection, ip=[::ffff:XXX.8.54.164]
> Feb  1 00:16:58 srv1 pop3d: LOGIN, user=cgross at example.com, 
>  ip=[::ffff:XXX.8.54.164]
> Feb  1 00:16:58 srv1 pop3d: LOGOUT, user=cgross at example.com, 
>  ip=[::ffff:XXX.8.54.164], top=0, retr=0

Be careful, Normaly you should have imap line in the log it's nearly the
same thing but not :

i.e : 
Feb  1 12:31:06 srv1 imapd: Connection, ip=[::ffff:127.0.0.1]
Feb  1 12:31:06 srv1 imapd: LOGIN, user=cgross at 2blc.com,
ip=[::ffff:127.0.0.1]
Feb  1 12:31:07 srv1 imapd: LOGOUT, user=cgross at 2blc.com,
ip=[::ffff:127.0.0.1], headers=698, body=0

I will try to bring you with correct imap log file (not only with
loopback)

> 
> We've been brainstorming about logs like these, and are 
> thinking about defining
> a login superservice for this.  The events happening are very 
> similar to:
> 
> Feb  3 14:51:01 topaz sshd[11611]: Accepted password for hajo from 
>  XXX.187.92.176 port 1225
> Feb  3 14:51:11 topaz PAM_unix[11611]: (ssh) session closed 
> for user hajo
> Feb  3 15:42:24 topaz sshd[353]: Generating new 768 bit RSA key.
> Feb  3 15:42:24 topaz sshd[353]: RSA key generation complete.
> Feb  3 16:09:08 topaz sshd[14745]: fatal: Timeout before 
> authentication for 
>  XXX.218.153.179.
> Feb  3 16:42:24 topaz sshd[353]: Generating new 768 bit RSA key.
> Feb  3 16:42:25 topaz sshd[353]: RSA key generation complete.
> Feb  3 17:54:28 topaz sshd[20712]: Accepted password for hajo from 
>  XXX.187.92.176 port 1376
> Feb  3 17:54:28 topaz PAM_unix[20712]: (ssh) session opened 
> for user hajo by 
>  (uid=0)
> Feb  4 08:59:54 topaz su[2891]: + pts/3 root-mhonarc 
> Feb  4 08:59:54 topaz PAM_unix[2891]: (su) session opened for 
> user mhonarc by 
>  root(uid=0)
> Feb  6 23:12:53 topaz sshd[334]: Generating new 768 bit RSA key.
> Feb  6 23:12:54 topaz sshd[334]: RSA key generation complete.
> Feb  6 23:18:28 topaz sshd[9050]: fatal: Timeout before 
> authentication for 
>  XXX.83.60.20.
> Feb  7 00:29:32 topaz sshd[13320]: WARNING: /etc/ssh/primes 
> does not exist, 
>  using old prime
> Feb  7 00:29:37 topaz sshd[13320]: Accepted password for joost from 
>  XXX.195.6.16 port 1119 ssh2
> 
> (an sshd, su, and pam logfile.)
> 
> When dealing with imap or pop logfiles, we could split it in a
> login-style log file, and a pure messagestore logfile.  See e.g.
> http://logreport.org/contact/lists/development/msg00438.php .  When
> generating reports, we could merge the information extracted from the
> two dlf's.  This would make it easy to show reports on failed
> authentications too.
> 
> qpopper is http://www.eudora.com/qpopper/ , from Qualcomm, isn't it?
> Ha! I found http://www.eudora.com/qpopper/faq.html#stats , now I
> understand the log you've sent :)
> 
>  Stats: cgross 0 0 0 0 XXX.161.230.141 XXX.161.230.141
> 
> is
> 
>  Stats: username nof_msgs_deleted nof_bytes_in_deleted_msgs
>   nof_msgs_left_on_server size_of_spool_left_on_server client_name
>   client_ip
> 
Yep sorry, I should give you that information.. Please apologyse.

> So, each line in the dlf format you propose would represent a
> usersession.  I guess that's a sane thing to do for now.  In your
> proposal there's no information about the authentication events, so I
> feel that's ok for now, we could do the login support later.
> 
> I would like to add your messagestore.xml to our CVS, if 
> that's ok with
> you.  We could distribute it with next Lire release (or maybe the one
> after the feb 14 release.)  However, before we can do this, we need to
> know what you allow other users to do with it.  If you offer 
> the code to
> us under the GPL, the modified BSD license or any other GPL compatible
> license, we are very happy to ship it with Lire, and maintain it.  You
> can read the complete story in the "I wanna contribute code, and would
> like it to get distributed as a part of Lire, what should I do,
> license-wise?"-faq entry in service/doc/faq.dbx (typesetted on
> http://logreport.org/pub/cvs-snapshots/lire-20020214-pre1/doc/faq/ ).
> 
Yep, under GPL as lire should be ok for me.

Cedric

-- 
To UNSUBSCRIBE, email to development-request at logreport.org with a subject of
"unsubscribe". Trouble? Send an email with subject "help" to
development-request at logreport.org

More information about the Development mailing list