how to interpret this log error?

**godmod** · 05-02-2010, 03:34 AM

Hello,

i have installed OSSEC which sends me ragularly mails when errors are logged.
here is one that i get everey few minutes:

Code:

May  2 12:25:55 icons saslauthd[4641]: zmpost: url='https://icons.at:7071/service/admin/soap/' 
returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
<soap:Header><context xmlns="urn:zimbra"><change token="7434"/></context></soap:Header>
<soap:Body><AuthResponse xmlns="urn:zimbraAccount"><authToken>0_d2d67f3f2f34b4a6efcd808efe86859df0ff0d9d_69643d33363a32373165393861652d393866332d343630362d393531642d3137666539323033646634383b6578703d31333a313237323936383735353632363b76763d313a313b747970653d363a7a696d6272613b</authToken>
<lifetime>172800000</lifetime><skin>smoke</skin></AuthResponse></soap:Body></soap:Envelope>',
 hti->error=''

Could someone tell me what this means and in which way it is an error?

Regards,
Michael

**uxbod** · 05-02-2010, 08:04 AM

That looks like somebody is making remote SOAP calls to your Admin interface!

**godmod** · 05-02-2010, 09:28 AM

how can i track back these attempts to IPs?

**uxbod** · 05-03-2010, 02:12 AM

Check in /opt/zimbra/log/mailbox.log for any other events around the same time as that one. You may consider also setting up Welcome to the Home of OSSEC to trap those types of access and report on them.

**godmod** · 05-03-2010, 09:09 PM

I found the following entry in the mailbox.log.2010-05-03:

Code:

2010-05-03 22:36:42,943 WARN  [btpool0-715] [] log - SSL renegotiate denied: java.nio.channels.SocketChannel[connected local=/12.34.56.78:7071 remote=/12.34.56.78:38614]

It's my servers IP, i just replaced it with 12.34.56.78.

I have OSSEC installed (as stated in the first post), is there any special advice for ossec+zimbra?

Also do you know how to resolve the well known issue of ntp?

Code:

OSSEC HIDS Notification.
2010 May 03 22:39:51

Received From: icons->/var/log/syslog
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

May  3 22:39:50 icons ntpd[3567]: can't open /var/lib/ntp/ntp.drift.TEMP: Permission denied



 --END OF NOTIFICATION

**alherman** · 07-15-2010, 03:49 AM

Originally Posted by godmod

I found the following entry in the mailbox.log.2010-05-03:

Code:

2010-05-03 22:36:42,943 WARN  [btpool0-715] [] log - SSL renegotiate denied: java.nio.channels.SocketChannel[connected local=/12.34.56.78:7071 remote=/12.34.56.78:38614]

It's my servers IP, i just replaced it with 12.34.56.78.

You should add your new ip address to "our network" in ossec.conf .

Zimbra

Thread: how to interpret this log error?

LinkBack

Thread Tools

Search Thread

Display

how to interpret this log error?

Thread Information

Users Browsing this Thread

Similar Threads

Best course of action for missing/corrupted tables?

[SOLVED] Zimbra logwatch.

[SOLVED] Upgraded to 5.0 OSS - Sendmail Problem

M3 problem with shares

Posting Permissions