How to log webmail activity?
How to log webmail activity?
I am trying to investigate a security breach of one of my hosted clients and it appears that the breach was via webmail. I am trying to find when it occured and from where it was done. To do this, I need to find the webmail logs to pull the requesting IP, etc..
I have looked under the IIS site logs and the ME logs but I can't find the specific info for the webmail logs.
I have looked under the IIS site logs and the ME logs but I can't find the specific info for the webmail logs.
Last edited by paarlberg on Thu Mar 02, 2006 6:39 pm, edited 1 time in total.
-
- Site Admin
- Posts: 4441
- Joined: Tue Jun 25, 2002 3:03 am
- Location: Melbourne, Victoria Australia
The page requests themselves should be in the IIS Logs for the web site that was serving the customer web site and /mewebmail alias.
MailEnable has its own logging at a user level, but this is not enabled by default. The typical location for MailEnable's logging is:
C:\Program Files\Mail Enable\Logging\WebMail
MailEnable has its own logging at a user level, but this is not enabled by default. The typical location for MailEnable's logging is:
C:\Program Files\Mail Enable\Logging\WebMail
Regards, Andrew
I used the line that enabled the webmail logging in Enterprise to try to get the logging working on ME Pro, it doesn't work. Below is the registry info I have..
Below is the info on the ME Ent. system
Code: Select all
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Mail Enable\Mail Enable\Services\WEBMAIL\Options]
"PreviewHTML"=dword:00000001
"Mailbox Redirection"=dword:00000000
"Auto Response"=dword:00000001
"Wrap at character"=dword:00000064
"DisplayImagesInline"=dword:00000001
"POP Retrieval"=dword:00000000
"CanEditDisplayName"=dword:00000001
"UseDisplayName"=dword:00000000
"MessagesPerPage"=dword:0000000f
"MessageListSize"=dword:0000010e
"Login Details"=dword:00000001
"Hyperlinks"=dword:00000000
"Default Timezone"="South Africa Standard Time"
"Default Characterset"="US-ASCII"
"Logging Status"=dword:00000001
"Log Events"="1,2,3,4,5,6,7,8,9"
Code: Select all
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Mail Enable\Mail Enable\Services\WEBMAIL\Options]
"PreviewHTML"=dword:00000001
"Mailbox Redirection"=dword:00000000
"Auto Response"=dword:00000001
"Wrap at character"=dword:00000064
"DisplayImagesInline"=dword:00000001
"POP Retrieval"=dword:00000000
"CanEditDisplayName"=dword:00000001
"UseDisplayName"=dword:00000000
"MessagesPerPage"=dword:0000000f
"MessageListSize"=dword:0000010e
"Login Details"=dword:00000001
"DefaultBase"="enterprise"
"Filtering"=dword:00000001
"Index Files Enabled"=dword:00000001
"NotificationStatus"=dword:00000001
"PollFrequency"=dword:00007530
"Show Usage"=dword:00000001
"Directory"=dword:00000000
"Public Folders Enabled"=dword:00000000
"Filter Limit"=dword:0000000a
"Default Characterset"="US-ASCII"
"Hyperlinks"=dword:00000001
"Calendaring Enabled"=dword:00000001
"Default Timezone"="Dateline Standard Time"
"Logging Status"=dword:00000001
"Log Events"="1,2,3,4,5,6,7,8,9"
-
- Site Admin
- Posts: 4441
- Joined: Tue Jun 25, 2002 3:03 am
- Location: Melbourne, Victoria Australia
Pro Edition Webmail does not support activity logging (thats why its not configurable by the MMC). There is likely to be some unforseeable issues in attempting to hack the registry in getting this working.
The current Pro webmail only provides logging though IIS logging - which will tell you the IP address of whoever connected and what page was accessed, etc. It does not contain details as to who logged in to the mailbox.
It is definitely not advisable to jerry-rig the registry to try to get it to work.
I have raised an internal suggestion to have the logging available for the version 2 Pro and Ent edition webmails.
The current Pro webmail only provides logging though IIS logging - which will tell you the IP address of whoever connected and what page was accessed, etc. It does not contain details as to who logged in to the mailbox.
It is definitely not advisable to jerry-rig the registry to try to get it to work.
I have raised an internal suggestion to have the logging available for the version 2 Pro and Ent edition webmails.
Regards, Andrew