Ịdebanye ihe omume niile na-eme bụ otu n'ime ọrụ kachasị mkpa nke usoro ụlọ ọrụ ọ bụla. Ndekọ na-enye gị ohere idozi nsogbu ndị na-apụta, nyochaa ọrụ nke sistemu ozi yana nyochaa ihe nchekwa ozi. Zimbra OSE na-edobe ndekọ zuru ezu nke ọrụ ya. Ha gụnyere data niile sitere na arụmọrụ nkesa na izipu na ịnata ozi-e site na ndị ọrụ. Agbanyeghị, ịgụ ndekọ nke Zimbra OSE mepụtara bụ ọrụ na-adịghị mkpa. N'isiokwu a, na-eji ihe atụ a kapịrị ọnụ, anyị ga-agwa gị otu esi agụ akwụkwọ ndekọ Zimbra OSE, yana otu esi eme ka ha bụrụ ebe etiti.
Zimbra OSE na-echekwa ndekọ mpaghara niile na folda /opt/zimbra/log, na faịlụ a nwekwara ike ịhụ ndekọ na faịlụ /var/log/zimbra.log. Nke kacha mkpa n'ime ndị a bụ mailbox.log. Ọ na-edekọ omume niile na-eme na sava ozi. Ndị a gụnyere nnyefe nke ozi-e, data njirimara onye ọrụ, mbọ nbanye dara ada, na ndị ọzọ. Ntinye na mailbox.log bụ eriri ederede nke nwere oge ihe omume ahụ mere, ọkwa ihe omume ahụ, nọmba eri nke ihe omume ahụ mere, aha njirimara na adreesị IP, yana nkọwa ederede nke ihe omume ahụ. .
Ọkwa ndekọ na-egosi ogo mmetụta ihe omume na arụ ọrụ nkesa. Site na ndabara enwere ọkwa mmemme 4: INFO, DỌỌ AKA NA NTỊ, ERROR na FATAL. Ka anyị leba anya n'ọkwa niile n'usoro siri ike na-abawanye.
- Ozi - A na-ebukarị ihe omume n'ọkwa a iji mee ka a mara maka ọganihu Zimbra OSE. Ozi dị n'ọkwa a gụnyere akụkọ gbasara imepụta ma ọ bụ ihichapụ igbe ozi, na ihe ndị ọzọ.
- ỊDỌ AKA NA NTỊ - ihe omume dị n'ọkwa a na-agwa maka ọnọdụ ndị nwere ike ịdị ize ndụ, mana anaghị emetụta ọrụ nke ihe nkesa. Dịka ọmụmaatụ, ọkwa ịdọ aka ná ntị na-egosi ozi gbasara mbọ nbanye onye ọrụ dara ada.
- ERROR - ọkwa ihe omume a na ndekọ na-agwa maka ihe omume nke njehie dị na mpaghara na anaghị egbochi ọrụ nke ihe nkesa. Ọkwa a nwere ike gosipụta mperi nke emebiela data index nke onye ọrụ.
- FATAL - ọkwa a na-egosi mperi n'ihi nke ihe nkesa enweghị ike ịga n'ihu na-arụ ọrụ nke ọma. Dịka ọmụmaatụ, ọkwa FATAL ga-abụ maka ndekọ na-egosi enweghị ike ijikọ na DBMS.
A na-emelite faịlụ ndekọ ihe nkesa ozi kwa ụbọchị. Ụdị faịlụ kachasị ọhụrụ na-enwekarị aha Mailbox.log, ebe ndekọ maka ụbọchị ụfọdụ nwere ụbọchị n'aha ma dị na ebe nchekwa. Ọmụmaatụ mailbox.log.2020-09-29.tar.gz. Nke a na-eme ka ọ dịkwuo mfe ịkwado ndekọ ọrụ na ịchọ site na ndekọ.
Maka ịdị mma nke onye nchịkwa sistemụ, nchekwa / opt/zimbra/log/ nwere ndekọ ndị ọzọ. Ha gụnyere naanị ndenye metụtara ihe Zimbra OSE akọwapụtara. Dịka ọmụmaatụ, audit.log nwere naanị ndekọ gbasara njirimara onye ọrụ, clamd.log nwere data gbasara ọrụ antivirus na ihe ndị ọzọ. Site n'ụzọ, ezigbo ụzọ iji chebe ihe nkesa Zimbra OSE site na ndị omempụ bụ , nke na-arụ ọrụ dabere na audit.log. Ọ bụkwa omume dị mma ịgbakwunye ọrụ cron iji mezuo iwu ahụ grep -ir "Passwọọdụ na-ezighi ezi" /opt/zimbra/log/audit.logịnata ozi ọdịda nbanye kwa ụbọchị.
Ọmụmaatụ ka audit.log si egosi paswọọdụ etinyere ugboro abụọ na ezighi ezi yana mbọ nbanye na-aga nke ọma.
Ndekọ na Zimbra OSE nwere ike ịba uru nke ukwuu n'ịchọpụta ihe kpatara ọdịda dị iche iche dị oke egwu. N'oge mgbe njehie dị oke egwu mere, onye nchịkwa anaghị enwekarị oge ịgụ ndekọ. Achọrọ ka iweghachi ihe nkesa ozugbo enwere ike. Otú ọ dị, mgbe e mesịrị, mgbe ihe nkesa na-akwado ma na-emepụta ọtụtụ ndekọ, ọ nwere ike isi ike ịchọta ntinye achọrọ na nnukwu faịlụ. Iji chọta ngwa ngwa ndekọ njehie, ọ ga-ezuru ịmara oge nke eweghachiri ihe nkesa ahụ wee chọta ntinye na ndekọ ndekọ site na oge a. Ntinye gara aga ga-abụ ndekọ nke njehie mere. Ị nwekwara ike ịchọta ozi njehie site na ịchọ isiokwu FATAL.
Ndekọ Zimbra OSE na-enyekwa gị ohere ịchọpụta ọdịda na-adịghị mkpa. Dịka ọmụmaatụ, ka ịchọta ndị ewepu onye njikwa, ị nwere ike ịchọ ewepu onye njikwa. Ọtụtụ mgbe, njehie ndị njikwa na-ebute na-esonyere ya na nchịkọta nchịkọta nke na-akọwa ihe kpatara ewepụrụ. Ọ bụrụ na enwere mperi na nnyefe ozi, ị ga-eji mkpụrụokwu LmtpServer bido ọchụchọ gị, yana ịchọ njehie metụtara ụkpụrụ POP ma ọ bụ IMAP, ịnwere ike iji mkpụrụokwu ImapServer na Pop3Server.
Ndekọ nwekwara ike inye aka mgbe ị na-enyocha mmemme nchekwa ozi. Ka anyị lee otu ihe atụ a kapịrị ọnụ. Na Septemba 20, otu n'ime ndị ọrụ ahụ zigara onye ahịa akwụkwọ ozi butere nje. N'ihi ya, data dị na kọmputa onye ahịa ezoro ezo. Otú ọ dị, onye ọrụ ahụ na-aṅụ iyi na ya ezipụghị ihe ọ bụla. Dịka akụkụ nke nyocha n'ime ihe ahụ merenụ, ọrụ nchekwa ụlọ ọrụ rịọrọ n'aka onye na-ahụ maka sistemụ na-edekọ ihe nkesa ozi maka Septemba 20 metụtara onye ọrụ a na-enyocha. Ekele maka stampụ oge, onye na-ahụ maka usoro ahụ na-achọta faịlụ ndekọ dị mkpa, wepụ ozi dị mkpa ma nyefee ya na ndị ọkachamara nchekwa. Ndị ahụ, n'aka nke ya, lelee ya wee chọpụta na adreesị IP nke e si na ya zite akwụkwọ ozi a kwekọrọ na adreesị IP nke kọmputa onye ọrụ. Ihe onyonyo CCTV gosipụtara na onye ọrụ ahụ nọ n'ebe ọrụ ya mgbe ezigara akwụkwọ ozi ahụ. Data a zuru ezu iji bo ya ebubo imebi iwu nchekwa ozi wee gbaa ya ọkụ.
Ihe atụ nke iwepụta ndekọ gbasara otu akaụntụ site na Mailbox.log log n'ime faịlụ dị iche
Ihe niile na-agbagwoju anya karị ma a bịa na akụrụngwa ọtụtụ sava. Ebe ọ bụ na a na-anakọta ndekọ na mpaghara, iso ha na-arụ ọrụ na akụrụngwa nke ọtụtụ ihe nkesa na-adịghị mma na ya mere ọ dị mkpa ka ịmepụta nchịkọta ndekọ. Enwere ike ime nke a site na ịtọlite onye ọbịa iji nakọta ndekọ. Ọ dịghị mkpa pụrụ iche ịgbakwunye onye ọbịa raara onwe ya nye na akụrụngwa. Ihe nkesa ozi ọ bụla nwere ike rụọ ọrụ dị ka ọnụ maka ịnakọta ndekọ. N'ọnọdụ anyị, nke a ga-abụ ọnụ ahịa Mailstore01.
Na sava a, anyị kwesịrị itinye iwu ndị a:
sudo su – zimbra
zmcontrol stop
exit
sudo /opt/zimbra/libexec/zmfixperms -e -vDezie faịlụ /etc/sysconfig/rsyslog, wee tọọ SYSLOGD_OPTIONS=”-r -c 2″
Dezie /etc/rsyslog.conf ma kwupụta ahịrị ndị a:
$ModLoad imudp
$UDPSserverRun 514
Tinye iwu ndị a:
sudo /etc/init.d/rsyslog stop
sudo /etc/init.d/rsyslog start
sudo su – zimbra
zmcontrol start
exit
sudo /opt/zimbra/libexec/zmloggerinit
sudo /opt/zimbra/bin/zmsshkeygen
sudo /opt/zimbra/bin/zmupdateauthkeysỊ nwere ike ịlele na ihe niile na-arụ ọrụ site na iji iwu zmprov gacf | grep zimbraLogHostname. Mgbe emechara iwu ahụ, a ga-egosipụta aha onye ọbịa na-anakọta ndekọ. Iji gbanwee ya, ị ga-abanyerịrị iwu zmprov mcf zimbraLogHostname mailstore01.company.ru.
Na sava akụrụngwa ndị ọzọ (LDAP, MTA na ụlọ ahịa mail ndị ọzọ), gbaa iwu zmprov gacf | grep zimbraLogHostname ka ịhụ aha onye ọbịa nke ezigara ndekọ ahụ. Iji gbanwee ya, ị nwekwara ike tinye iwu zmprov mcf zimbraLogHostname mailstore01.company.ru
Ị ga-etinyerịrị iwu ndị a na nkesa ọ bụla:
sudo su - zimbra
/opt/zimbra/bin/zmsshkeygen
/opt/zimbra/bin/zmupdateauthkeys
exit
sudo /opt/zimbra/libexec/zmsyslogsetup
sudo service rsyslog restart
sudo su - zimbra
zmcontrol restartMgbe nke a gasịrị, a ga-edekọ ndekọ niile na sava ị kpọtụrụ aha, ebe enwere ike ilele ha nke ọma. Ọzọkwa, na njikwa njikwa Zimbra OSE, na ihuenyo nwere ozi gbasara ọkwa nke sava, a ga-egosipụta ọrụ Logger na-agba ọsọ naanị maka sava mailstore01.
Isi isi ọwụwa ọzọ maka onye nchịkwa nwere ike na-echekwa otu ozi-e. Ebe ọ bụ na ozi ịntanetị na Zimbra OSE na-aga n'ọtụtụ ihe dị iche iche n'otu oge: nyocha site na antivirus, antispam, na ihe ndị ọzọ, tupu anabata ma ọ bụ zipu, maka onye nchịkwa, ọ bụrụ na email ahụ eruteghị, ọ nwere ike bụrụ nnukwu nsogbu ịchọta n'oge dị aṅaa ọ tụfuru .
Iji dozie nsogbu a, ị nwere ike iji edemede pụrụ iche, nke ọkachamara nchekwa ozi Viktor Dukhovny mepụtara ma kwadoro maka ndị mmepe Postfix. Edemede a na-ejikọta ndenye sitere na ndekọ maka otu usoro na, n'ihi nke a, na-enye gị ohere igosipụta ngwa ngwa niile ndenye metụtara izipu otu mkpụrụedemede dabere na njirimara ya. A nwalere ọrụ ya na ụdị Zimbra OSE niile, malite na 8.7. Nke a bụ ederede ederede.
#! /usr/bin/perl
use strict;
use warnings;
# Postfix delivery agents
my @agents = qw(discard error lmtp local pipe smtp virtual);
my $instre = qr{(?x)
A # Absolute line start
(?:S+ s+){3} # Timestamp, adjust for other time formats
S+ s+ # Hostname
(postfix(?:-[^/s]+)?) # Capture instance name stopping before first '/'
(?:/S+)* # Optional non-captured '/'-delimited qualifiers
/ # Final '/' before the daemon program name
};
my $cmdpidre = qr{(?x)
G # Continue from previous match
(S+)[(d+)]:s+ # command[pid]:
};
my %smtpd;
my %smtp;
my %transaction;
my $i = 0;
my %seqno;
my %isagent = map { ($_, 1) } @agents;
while (<>) {
next unless m{$instre}ogc; my $inst = $1;
next unless m{$cmdpidre}ogc; my $command = $1; my $pid = $2;
if ($command eq "smtpd") {
if (m{Gconnect from }gc) {
# Start new log
$smtpd{$pid}->{"log"} = $_; next;
}
$smtpd{$pid}->{"log"} .= $_;
if (m{G(w+): client=}gc) {
# Fresh transaction
my $qid = "$inst/$1";
$smtpd{$pid}->{"qid"} = $qid;
$transaction{$qid} = $smtpd{$pid}->{"log"};
$seqno{$qid} = ++$i;
next;
}
my $qid = $smtpd{$pid}->{"qid"};
$transaction{$qid} .= $_
if (defined($qid) && exists $transaction{$qid});
delete $smtpd{$pid} if (m{Gdisconnect from}gc);
next;
}
if ($command eq "pickup") {
if (m{G(w+): uid=}gc) {
my $qid = "$inst/$1";
$transaction{$qid} = $_;
$seqno{$qid} = ++$i;
}
next;
}
# bounce(8) logs transaction start after cleanup(8) already logged
# the message-id, so the cleanup log entry may be first
#
if ($command eq "cleanup") {
next unless (m{G(w+): }gc);
my $qid = "$inst/$1";
$transaction{$qid} .= $_;
$seqno{$qid} = ++$i if (! exists $seqno{$qid});
next;
}
if ($command eq "qmgr") {
next unless (m{G(w+): }gc);
my $qid = "$inst/$1";
if (defined($transaction{$qid})) {
$transaction{$qid} .= $_;
if (m{Gremoved$}gc) {
print delete $transaction{$qid}, "n";
}
}
next;
}
# Save pre-delivery messages for smtp(8) and lmtp(8)
#
if ($command eq "smtp" || $command eq "lmtp") {
$smtp{$pid} .= $_;
if (m{G(w+): to=}gc) {
my $qid = "$inst/$1";
if (defined($transaction{$qid})) {
$transaction{$qid} .= $smtp{$pid};
}
delete $smtp{$pid};
}
next;
}
if ($command eq "bounce") {
if (m{G(w+): .*? notification: (w+)$}gc) {
my $qid = "$inst/$1";
my $newid = "$inst/$2";
if (defined($transaction{$qid})) {
$transaction{$qid} .= $_;
}
$transaction{$newid} =
$_ . $transaction{$newid};
$seqno{$newid} = ++$i if (! exists $seqno{$newid});
}
next;
}
if ($isagent{$command}) {
if (m{G(w+): to=}gc) {
my $qid = "$inst/$1";
if (defined($transaction{$qid})) {
$transaction{$qid} .= $_;
}
}
next;
}
}
# Dump logs of incomplete transactions.
foreach my $qid (sort {$seqno{$a} <=> $seqno{$b}} keys %transaction) {
print $transaction{$qid}, "n";
}Edere edemede ahụ na Perl na iji mee ya ịkwesịrị ịchekwa ya na faịlụ agba.pl, mee ka ọ rụọ ọrụ, wee mee faịlụ ahụ na-akọwapụta faịlụ log na iji pgrep wepụ ozi njirimara nke akwụkwọ ozi ị na-achọ. collate.pl /var/log/zimbra.log | pgrep '[email protected]>'. Nsonaazụ ga-abụ mmepụta usoro nke ahịrị nwere ozi gbasara mmegharị nke akwụkwọ ozi na sava ahụ.
# collate.pl /var/log/zimbra.log | pgrep '<[email protected]>'
Oct 13 10:17:00 mail postfix/pickup[4089]: 4FF14284F45: uid=1034 from=********
Oct 13 10:17:00 mail postfix/cleanup[26776]: 4FF14284F45: message-id=*******
Oct 13 10:17:00 mail postfix/qmgr[9946]: 4FF14284F45: from=********, size=1387, nrcpt=1 (queue active)
Oct 13 10:17:00 mail postfix/smtp[7516]: Anonymous TLS connection established to mail.*******[168.*.*.4]:25: TLSv1 with cipher ADH-AES256-SHA (256/256 bits)
Oct 13 10:17:00 mail postfix/smtp[7516]: 4FF14284F45: to=*********, relay=mail.*******[168.*.*.4]:25, delay=0.25, delays=0.02/0.02/0.16/0.06, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 878833424CF)
Oct 13 10:17:00 mail postfix/qmgr[9946]: 4FF14284F45: removed
Oct 13 10:17:07 mail postfix/smtpd[21777]: connect from zimbra.******[168.*.*.4]
Oct 13 10:17:07 mail postfix/smtpd[21777]: Anonymous TLS connection established from zimbra.******[168.*.*.4]: TLSv1 with cipher ADH-AES256-SHA (256/256 bits)
Oct 13 10:17:08 mail postfix/smtpd[21777]: 0CB69282F4E: client=zimbra.******[168.*.*.4]
Oct 13 10:17:08 mail postfix/cleanup[26776]: 0CB69282F4E: message-id=zimbra.******
Oct 13 10:17:08 mail postfix/qmgr[9946]: 0CB69282F4E: from=zimbra.******, size=3606, nrcpt=1 (queue active)
Oct 13 10:17:08 mail postfix/virtual[5291]: 0CB69282F4E: to=zimbra.******, orig_to=zimbra.******, relay=virtual, delay=0.03, delays=0.02/0/0/0.01, dsn=2.0.0, status=sent (delivered to maildir)
Oct 13 10:17:08 mail postfix/qmgr[9946]: 0CB69282F4E: removedMaka ajụjụ niile metụtara Zextras Suite, ị nwere ike ịkpọtụrụ Zextras Representative Ekaterina Triandafilidi site na email. [email protected]
isi: www.habr.com