Dňa 4. októbra 2024 18:04:31 UTC používateľ Johnnie W Adams via Exim-users <exim-users@???> napísal:
> I'm trying to interpret some results from an SIEM regarding our Exim
>servers and am having difficulty. The SIEM claims that ports 587 and 465
>are generating traffic on a high-numbered port. I think it's seeing
>artifacts from failed authentications and, in about two-thirds of the
>cases, I can line the authentication attempts up with that traffic.
I am just curious, what do you (SIEM) means by "generating traffic".
Is it connection start (SYN or SYN+ACK), or connection close (FIN)
or even some other traffic with other TCP flags?
About reliability of exim's log, from my experiences it is reliable, but
by default it doesn't log connection starts nor ends, thus you will
not see everything in logs. Check log_selector and/or connect,
quit and notquit ACLs docs. Of course, that reliability can depend
on logging backend (eg. syslog rate limit), file storage, etc...
regards
--
Slavko
https://www.slavino.sk/
--
## subscription configuration (requires account):
##
https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at
http://www.exim.org/
## Please use the Wiki with this list -
http://wiki.exim.org/
