[exim] Re: Exim logging--how reliable?

Αρχική Σελίδα
Delete this message
Reply to this message
Συντάκτης: Johnnie W Adams
Ημερομηνία:  
Προς: Slavko
Υ/ο: exim-users
Αντικείμενο: [exim] Re: Exim logging--how reliable?
Thank you for answering this rather impolite (I think--I hesitate to ask)
question. The SIEM doesn't get that deep into the connection--it just gives
source, destination, and port.

On Fri, Oct 4, 2024 at 1:34 PM Slavko via Exim-users <
exim-users@???> wrote:

> Dňa 4. októbra 2024 18:04:31 UTC používateľ Johnnie W Adams via Exim-users
> <exim-users@???> napísal:
>
> >     I'm trying to interpret some results from an SIEM regarding our Exim
> >servers and am having difficulty. The SIEM claims that ports 587 and 465
> >are generating traffic on a high-numbered port. I think it's seeing
> >artifacts from failed authentications and, in about two-thirds of the
> >cases, I can line the authentication attempts up with that traffic.
>
> I am just curious, what do you (SIEM) means by "generating traffic".
> Is it connection start (SYN or SYN+ACK), or connection close (FIN)
> or even some other traffic with other TCP flags?
>
> About reliability of exim's log, from my experiences it is reliable, but
> by default it doesn't log connection starts nor ends, thus you will
> not see everything in logs. Check log_selector and/or connect,
> quit and notquit ACLs docs. Of course, that reliability can depend
> on logging backend (eg. syslog rate limit), file storage, etc...
>
> regards
>
>
> --
> Slavko
> https://www.slavino.sk/
>
> --
> ## subscription configuration (requires account):
> ##
> https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
> ## unsubscribe (doesn't require an account):
> ##   exim-users-unsubscribe@???
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>



--
John Adams
Senior Linux/Middleware Administrator | Information Technology Services
+1-501-916-3010 | jxadams@??? | http://ualr.edu/itservices
*UA Little Rock*

Reminder: IT Services will never ask for your password over the phone or
in an email. Always be suspicious of requests for personal information that
come via email, even from known contacts. For more information or to
report suspicious email, visit IT Security
<http://ualr.edu/itservices/security/>.

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/