On Fri, 4 Oct 2024, Johnnie W Adams via Exim-users wrote:
> Hi, folks,
>
> I'm trying to interpret some results from an SIEM regarding our Exim
> servers and am having difficulty. The SIEM claims that ports 587 and 465
> are generating traffic on a high-numbered port. I think it's seeing
> artifacts from failed authentications and, in about two-thirds of the
> cases, I can line the authentication attempts up with that traffic.
SIEM = Security information and event management ?
This SIEM is reporting traffic from ports 587 and 465 on your server
to high ports on remote machines ?
I assume there is matching traffic in the oppsite direction ?
> That leaves the other third, which show no sign of authentications in
> the logs.
>
> I'm grasping at straws here, I suppose, but I'm wondering: How
> reliable is exim logging on a not-very-busy machine? Pretty reliable, I
> figure, but these results make me wonder.
I would expect exim logging to be reliable on a not-very-busy machine.
Is there any sort of firewall in front of exim ?
If a firewall rejects the traffic, it would never reach exim
or the exim logs.
--
Andrew C. Aitchison Kendal, UK
andrew@???
--
## subscription configuration (requires account):
##
https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at
http://www.exim.org/
## Please use the Wiki with this list -
http://wiki.exim.org/
