show user login history with ip address and username used
-
Hi @micro,
@WalterHof iscorrect. The way to find this information for WebApp logins is to query the webserver logging for it. Just look on the forum for fail2ban and WebApp, I know there have been threads about it in the past.
kopano-server
itself only sees where to final request is coming from, which could be the address of the php process or wherekopano-dagent
is running. If I remember right some more information could be included in the audit logging, though. -
Hallo Felix,
I’ve found those threads related to “Z-Push <> Fail2Ban” but the point is I am looking for a way to monitor/evaluate the WebApp logins. In z-push it’s much easier because one can enable the LOGAUTHFAIL function which results in writing such bad logins into the z-push-error.log for further processing.
But how can we monitor WebApp logins? The Apache (or Nginx) web server will only log the access by an IP address. Those log lines do not reveal any information about the username. There is no relation between user and ip address. Is there any setting in server.cfg equivalent to z-push’s LOGAUTHFAIL which will show more details about false logins in Kopanos’ server.log?
I search further and found the audit log function for kopano-server. I enabled it and now I see in audit.log the failed logins via WebApp like this:
Mon Jan 20 15:18:00 2020: [crit ] authenticate failed user=‘foo’ from=‘file:///var/run/kopano/server.sock’ program=‘apache2’
… but I also see the OK/CORRECT logins:
Mon Jan 20 15:19:19 2020: [crit ] authenticate ok: from=“file:///var/run/kopano/server.sock” user=“bar” method=“User supplied password” program=“apache2” sid=0xa516fab5f31f717c37
Is there any known way to display only the false logins which are a security concern? just right z-push works with the mentioned directive?
-
@micro said in show user login history with ip address and username used:
But how can we monitor WebApp logins?
isn’t webapp logging this anymore?
[Wed Mar 08 20:03:24.725781 2017] [:error] [pid 12297] [client aaa.bbb.ccc.ddd:4453] Kopano WebApp user: ysdxfsa: authentication failure at MAPI, referer: https://my.server.at/webapp/?logon
https://forum.kopano.io/topic/108/how-to-protect-webapp-fail2ban
-
which log file is the line from? in your previous post you said:
The way to find this information for WebApp logins is to query the webserver logging for it.
I am only aware of webservers log mechanism (in my case apache2) which will write the access and error logs in “/var/log/apache/my-customized.log”. But the apache2 log does not contain such lines, they always start with an IP address and look like this:
192.168.0.123 - - [20/Jan/2020:16:49:12 +0100] “POST /kopano.php?subsystem=webapp_8475519283644 HTTP/1.1” 200 597 “https://mykopano.example.tld/” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.108 Safari/537.36”
I checked the WebApp admin manual, there is a logging directive which by default is OFF:
define(‘LOG_USER_LEVEL’, LOGLEVEL_OFF);
should I put this to LOGLEVEL_WARN ? which log file is written for WebApp then?
-
@micro said in show user login history with ip address and username used:
which log file is the line from
In the past this was logged into the error.log. But for the WebApp log levels it may be more appropriate to ask in the webapp sub forum.
-
grep -R -i user /var/log/apache/*error*
didn’t show any hits. There is no information about “user”. I will try to ask the question on the WebApp sub-forum and point to this thread…
thank you so far Felix
-
maybe try
grep -R -i user /var/log/apache2/*
-
@item: please read and think first
-
I don’t know your configuration of apache2 but the default log is at /etc/apache2
and for me grep -R -i user /var/log/apache2/* works and gives output like :/var/log/apache2/error.log.1:[Sun Jan 26 22:41:40.557437 2020] [:error] [pid 18123] [client 192.168.2.72:50142] Kopano WebApp user: georg: authentication failure at MAPI, referer: https://serveraddress/webapp/
rg
Christian -
Hi Chris,
certainly you did mean “…the default log is in /var/log/apache2” :) Thanks for the information, that is correct. But it shows the failed logins.
My question was related to “succeeded” logins to track when, who and which backend was used.
-
anyone else? how can we
- track succeeded logins in Kopano ?
- track access (attach/open) to certain mailboxes (eg. when a user attaches or requests a particular mailbox, other than its own)
?
-
@micro have you checked the audit logging?
-
A bit late, and maybe it’s already mentioned in the thread, but, are you looking for this:
https://forum.kopano.io/topic/2569/logging-of-login-attemts -
@klausade: THANK YOU!