[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: LDAP Change Log
Hello Pablo,
----- Original Message -----
>
> William,
> If you think an account is compromised you may want to look at the
> proxy, MTA, or mailbox logs to see what IP that possibly compromised
> account is logging in from. If it comes from a suspect location
> (country), network, or ISP, you may be able to determine that it was
> indeed compromised.
I do some of this already, but I need to improve it. Right now I'm only watching for these events in ZWC, so I need to extend this to include IMAP/POP/SMTP.
I've been using audit.log and nginx.access.log for this, but now I just realized nginx.log might be better suited.
Off to investigate.
Thanks,
Will
> ----- Original Message -----
>
> From: "William Froning" <wfroning@aus.edu>
> To: "Zimbra Higher-Ed Admins" <zimbra-hied-admins@sfu.ca>
> Sent: Sunday, May 26, 2013 12:09:16 AM
> Subject: LDAP Change Log
>
> Hello All,
>
> I was wondering how you all are monitoring Zimbra LDAP change events.
> I can't seem to find the right log (if it is even enabled) to watch
> for account changes that might suggest a compromised account.
>
> We are running 7.2.1. Any assistance is welcome.
>
> Thanks,
> Will
>
> --
> Will Froning
> Information Security Manager
> Office of the Vice Chancellor for Finance and Administration
>
>
> American University of Sharjah
>
> Tel +971 6 515 2124
> Mob +971 50 737 1599
> Fax +971 6 515 2120
> PO Box 26666, Sharjah
> United Arab Emirates
> http://www.aus.edu
> wfroning@aus.edu
>
>
--
Will Froning
Information Security Manager
Office of the Vice Chancellor for Finance and Administration
American University of Sharjah
Tel +971 6 515 2124
Mob +971 50 737 1599
Fax +971 6 515 2120
PO Box 26666, Sharjah
United Arab Emirates
http://www.aus.edu
wfroning@aus.edu