Zimbra offers Open Source email server software and shared calendar for Linux and the Mac
Go Back   Zimbra :: Forums > Zimbra Collaboration Suite > Administrators
Reload this Page how to interpret this log error?

Welcome to the Zimbra :: Forums!
Welcome, if you would like to post a comment please register. We also encourage you to explore all things Zimbra with our team and members of the community.

Reply
 
LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 05-02-2010, 03:34 AM
Intermediate Member
  
Posts: 18
Default how to interpret this log error?
Hello,

i have installed OSSEC which sends me ragularly mails when errors are logged.
here is one that i get everey few minutes:

Code:
May  2 12:25:55 icons saslauthd[4641]: zmpost: url='https://icons.at:7071/service/admin/soap/' 
returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
<soap:Header><context xmlns="urn:zimbra"><change token="7434"/></context></soap:Header>
<soap:Body><AuthResponse xmlns="urn:zimbraAccount"><authToken>0_d2d67f3f2f34b4a6efcd808efe86859df0ff0d9d_69643d33363a32373165393861652d393866332d343630362d393531642d3137666539323033646634383b6578703d31333a313237323936383735353632363b76763d313a313b747970653d363a7a696d6272613b</authToken>
<lifetime>172800000</lifetime><skin>smoke</skin></AuthResponse></soap:Body></soap:Envelope>',
 hti->error=''
Could someone tell me what this means and in which way it is an error?

Regards,
Michael
Last edited by godmod; 05-02-2010 at 03:34 AM.. Reason: editied code for better readability
Reply With Quote
  #2 (permalink)  
Old 05-02-2010, 08:04 AM
Moderator
  
Posts: 7,928
Default
That looks like somebody is making remote SOAP calls to your Admin interface!
__________________
Reply With Quote
  #3 (permalink)  
Old 05-02-2010, 09:28 AM
Intermediate Member
  
Posts: 18
Default
how can i track back these attempts to IPs?
Reply With Quote
  #4 (permalink)  
Old 05-03-2010, 02:12 AM
Moderator
  
Posts: 7,928
Default
Check in /opt/zimbra/log/mailbox.log for any other events around the same time as that one. You may consider also setting up Welcome to the Home of OSSEC to trap those types of access and report on them.
__________________
Reply With Quote
  #5 (permalink)  
Old 05-03-2010, 09:09 PM
Intermediate Member
  
Posts: 18
Default
I found the following entry in the mailbox.log.2010-05-03:
Code:
2010-05-03 22:36:42,943 WARN  [btpool0-715] [] log - SSL renegotiate denied: java.nio.channels.SocketChannel[connected local=/12.34.56.78:7071 remote=/12.34.56.78:38614]
It's my servers IP, i just replaced it with 12.34.56.78.

I have OSSEC installed (as stated in the first post), is there any special advice for ossec+zimbra?

Also do you know how to resolve the well known issue of ntp?
Code:
OSSEC HIDS Notification.
2010 May 03 22:39:51

Received From: icons->/var/log/syslog
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

May  3 22:39:50 icons ntpd[3567]: can't open /var/lib/ntp/ntp.drift.TEMP: Permission denied



 --END OF NOTIFICATION
Last edited by godmod; 05-03-2010 at 09:14 PM..
Reply With Quote
  #6 (permalink)  
Old 07-15-2010, 03:49 AM
Member
  
Posts: 12
Smile
Quote:
Originally Posted by godmod View Post
I found the following entry in the mailbox.log.2010-05-03:
Code:
2010-05-03 22:36:42,943 WARN  [btpool0-715] [] log - SSL renegotiate denied: java.nio.channels.SocketChannel[connected local=/12.34.56.78:7071 remote=/12.34.56.78:38614]
It's my servers IP, i just replaced it with 12.34.56.78.
You should add your new ip address to "our network" in ossec.conf .
Reply With Quote
Reply

« Previous Thread | Today's Posts or Week's Posts | Next Thread »

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode


Similar Threads

Product Information

Why Join?

Registering let's you ask questions, makes it easier to search, displays any files attached to posts, and notifies you about replies.

blog.zimbra.com


Home - Blog - Contact Us - Archive - Top


 

SEO by vBSEO ©2011, Crawlability, Inc.