Results 1 to 6 of 6

Thread: how to interpret this log error?

  1. #1
    godmod is offline Intermediate Member
    Join Date
    Aug 2009
    Posts
    18
    Rep Power
    5

    Default how to interpret this log error?

    Hello,

    i have installed OSSEC which sends me ragularly mails when errors are logged.
    here is one that i get everey few minutes:

    Code:
    May  2 12:25:55 icons saslauthd[4641]: zmpost: url='https://icons.at:7071/service/admin/soap/' 
    returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
    <soap:Header><context xmlns="urn:zimbra"><change token="7434"/></context></soap:Header>
    <soap:Body><AuthResponse xmlns="urn:zimbraAccount"><authToken>0_d2d67f3f2f34b4a6efcd808efe86859df0ff0d9d_69643d33363a32373165393861652d393866332d343630362d393531642d3137666539323033646634383b6578703d31333a313237323936383735353632363b76763d313a313b747970653d363a7a696d6272613b</authToken>
    <lifetime>172800000</lifetime><skin>smoke</skin></AuthResponse></soap:Body></soap:Envelope>',
     hti->error=''
    Could someone tell me what this means and in which way it is an error?

    Regards,
    Michael
    Last edited by godmod; 05-02-2010 at 03:34 AM. Reason: editied code for better readability

  2. #2
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,016
    Rep Power
    24

    Default

    That looks like somebody is making remote SOAP calls to your Admin interface!

  3. #3
    godmod is offline Intermediate Member
    Join Date
    Aug 2009
    Posts
    18
    Rep Power
    5

    Default

    how can i track back these attempts to IPs?

  4. #4
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,016
    Rep Power
    24

    Default

    Check in /opt/zimbra/log/mailbox.log for any other events around the same time as that one. You may consider also setting up Welcome to the Home of OSSEC to trap those types of access and report on them.

  5. #5
    godmod is offline Intermediate Member
    Join Date
    Aug 2009
    Posts
    18
    Rep Power
    5

    Default

    I found the following entry in the mailbox.log.2010-05-03:
    Code:
    2010-05-03 22:36:42,943 WARN  [btpool0-715] [] log - SSL renegotiate denied: java.nio.channels.SocketChannel[connected local=/12.34.56.78:7071 remote=/12.34.56.78:38614]
    It's my servers IP, i just replaced it with 12.34.56.78.

    I have OSSEC installed (as stated in the first post), is there any special advice for ossec+zimbra?

    Also do you know how to resolve the well known issue of ntp?
    Code:
    OSSEC HIDS Notification.
    2010 May 03 22:39:51
    
    Received From: icons->/var/log/syslog
    Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
    Portion of the log(s):
    
    May  3 22:39:50 icons ntpd[3567]: can't open /var/lib/ntp/ntp.drift.TEMP: Permission denied
    
    
    
     --END OF NOTIFICATION
    Last edited by godmod; 05-03-2010 at 09:14 PM.

  6. #6
    alherman is offline Member
    Join Date
    May 2010
    Posts
    12
    Rep Power
    4

    Smile

    Quote Originally Posted by godmod View Post
    I found the following entry in the mailbox.log.2010-05-03:
    Code:
    2010-05-03 22:36:42,943 WARN  [btpool0-715] [] log - SSL renegotiate denied: java.nio.channels.SocketChannel[connected local=/12.34.56.78:7071 remote=/12.34.56.78:38614]
    It's my servers IP, i just replaced it with 12.34.56.78.
    You should add your new ip address to "our network" in ossec.conf .

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Best course of action for missing/corrupted tables?
    By jimbo in forum Administrators
    Replies: 6
    Last Post: 02-08-2010, 09:12 AM
  2. [SOLVED] Zimbra logwatch.
    By nishith in forum Administrators
    Replies: 5
    Last Post: 06-10-2009, 04:42 PM
  3. [SOLVED] Upgraded to 5.0 OSS - Sendmail Problem
    By Chewie71 in forum Installation
    Replies: 11
    Last Post: 12-28-2007, 07:07 PM
  4. M3 problem with shares
    By titangears in forum Users
    Replies: 4
    Last Post: 01-12-2006, 01:01 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •