Diiwaangelinta dhammaan dhacdooyinka dhacaya waa mid ka mid ah hawlaha ugu muhiimsan ee nidaam kasta oo shirkadeed. Loggu wuxuu kuu oggolaanayaa inaad xalliso mashaakil soo ifbaxaya, xisaab xidhka nidaamka macluumaadka, iyo sidoo kale baadhid shilalka amniga macluumaadka. Zimbra OSE sidoo kale waxay haysaa diiwaannada hawl-galkeeda oo faahfaahsan. Waxay ka mid yihiin dhammaan xogta laga soo bilaabo waxqabadka server-ka ilaa diritaanka iyo helitaanka iimaylka isticmaalayaasha. Si kastaba ha ahaatee, akhrinta qoraalada ay soo saartay Zimbra OSE waa hawl aan fududayn. Maqaalkan, adoo isticmaalaya tusaale gaar ah, waxaan kuu sheegi doonaa sida loo akhriyo diiwaannada Zimbra OSE, iyo sidoo kale sida loo sameeyo mid dhexe.
Zimbra OSE waxa ay ku kaydisaa dhammaan diiwaannada maxaliga ah ee ku jira faylka /opt/zimbra/log, sidoo kale diiwaannada waxa laga heli karaa faylka /var/log/zimbra.log. Kuwa ugu muhiimsan waa mailbox.log. Waxay diiwaangelisaa dhammaan ficillada ka dhaca server-ka boostada. Kuwaas waxaa ka mid ah gudbinta iimaylada, xogta aqoonsiga isticmaalaha, isku dayga gelitaanka ee guul-darraystay, iyo kuwa kale. Gelida mailbox.log waa xadhig qoraal ah oo ka kooban wakhtiga ay dhacdadani dhacday, heerka dhacdada, nambarka dunta ee ay dhacdada ka dhacday, magaca isticmaalaha iyo ciwaanka IP-ga, iyo sidoo kale sharaxaadda qoraalka ee dhacdada. .
Heerka loggu wuxuu muujinayaa heerka saamaynta dhacdada ee hawlgalka server-ka. Sida caadiga ah waxaa jira 4 heerar dhacdo: XOG, DIGNIIN, CIID iyo FATAL. Aan u eegno dhammaan heerarka sida ay u kala daran yihiin.
- WARBIXIN - Dhacdooyinka heerkan ah waxaa badanaa loogu talagalay in lagu wargeliyo horumarka Zimbra OSE. Farriimaha heerkan ah waxaa ka mid ah warbixinnada abuuritaanka ama tirtiridda sanduuqa boostada, iyo wixii la mid ah.
- DIGNIIN - dhacdooyinka heerkan ah waxay ka warbixiyaan xaaladaha suurtagalka ah ee khatarta ah, laakiin ma saameeyaan hawlgalka serverka. Tusaale ahaan, heerka WARN waxa uu calaamadiyaa fariin ku saabsan isku daygii isticmaale ee fashilmay.
- QALAD - heerkan dhacdada ee loggu wuxuu ku wargelinayaa dhacdada khaladka ah ee dabeecadda maxalliga ah oo aan faragelinayn hawlgalka server-ka. Heerkani wuxuu calaamadin karaa qalad kaas oo xogta tusmeeyaha shakhsi ahaaneed ee isticmaalaha uu xumaaday.
- FATAL - heerkani wuxuu muujinayaa khaladaad taas oo ay sabab u tahay seerfarku aanu sii wadi karin inuu si caadi ah u shaqeeyo. Tusaale ahaan, heerka FATAL waxa uu noqon doonaa diiwaan muujinaya awood la'aanta in lagu xidho DBMS.
Galka diiwaanka server-ka boostada waa la cusboonaysiiyaa maalin kasta. Nooca ugu dambeeyay ee faylka ayaa had iyo jeer leh magaca Mailbox.log, halka diiwaannada taariikhda qaarkood ay taariikhda ku leeyihiin magaca oo ay ku jiraan kaydka. Tusaale ahaan mailbox.log.2020-09-29.tar.gz. Tani waxay aad u fududaynaysaa in lagu kaydiyo diiwaanka hawlaha oo laga dhex raadiyo diiwaannada.
Si ay ugu habboonaato maamulaha nidaamka, faylka /opt/zimbra/log/ waxa ku jira qoraallo kale. Waxa kaliya oo ay ku jiraan gelisyo la xidhiidha xubno gaar ah oo Zimbra OSE ah. Tusaale ahaan, audit.log waxa uu ka kooban yahay kaliya diiwaanno ku saabsan aqoonsiga isticmaalaha, clamd.log waxa uu ka kooban yahay xogta ku saabsan hawlgalka antivirus, iyo wixii la mid ah. Jid ahaan, habka ugu wanaagsan ee looga ilaaliyo server-ka Zimbra OSE kuwa soo gala waa , kaas oo ku salaysan audit.log. Sidoo kale waa dhaqan wanaagsan in lagu daro hawl cron si loo fuliyo amarka grep -ir "password invalid" /opt/zimbra/log/audit.logsi aad u hesho macluumaadka guuldarada soo galitaanka maalinlaha ah.
Tusaale ahaan sida audit.log uu u muujinayo erayga sirta ah ee laba jeer si khaldan loo geliyey iyo isku dayga gelitaanka ee guulaystay.
Logs in Zimbra OSE waxay noqon kartaa mid aad waxtar u leh ogaanshaha sababaha kala duwan ee guuldarrooyinka muhiimka ah. Waqtigan xaadirka ah marka uu dhaco qalad halis ah, maamuluhu inta badan ma haysto wakhti uu ku akhriyo diiwaannada. Waxaa loo baahan yahay in la soo celiyo server-ka sida ugu dhakhsaha badan. Si kastaba ha noqotee, mar dambe, marka server-ku soo celiyo oo uu soo saaro qoraallo badan, way adkaan kartaa in la helo gelitaanka loo baahan yahay fayl weyn. Si aad si dhakhso ah u hesho diiwaanka qaladka, waa ku filan tahay in la ogaado wakhtiga server-ka dib loo bilaabay oo la helo gelitaanka diiwaanka taariikhda laga bilaabo wakhtigan. Gelitaankii hore wuxuu ahaan doonaa diiwaanka qaladka dhacay. Waxa kale oo aad ka heli kartaa fariinta khaladka ah adiga oo raadinaya ereyga muhiimka ah ee FATAL.
Diiwaanada Zimbra OSE waxay sidoo kale kuu oggolaanayaan inaad aqoonsato guuldarrooyinka aan muhiimka ahayn. Tusaale ahaan, si aad u hesho wax ka reeban maamule, waxaad raadin kartaa ka reeban maamule. Badana, khaladaadka ay keenaan hawl-wadeenadu waxa weheliya raad raxan oo sharaxaya waxa sababay ka-reebista. Haddii ay dhacdo khaladaad xagga dirista boostada, waa inaad ku bilowdaa raadintaada ereyga muhiimka ah ee LmtpServer, iyo si aad u raadiso khaladaadka la xiriira borotokoolka POP ama IMAP, waxaad isticmaali kartaa ImapServer iyo Pop3Server.
Loggu wuxuu kaloo caawin karaa marka la baarayo shilalka amniga macluumaadka. Aynu eegno tusaale gaar ah. Sebtembar 20keedii, mid ka mid ah shaqaaluhu wuxuu u diray warqad uu fayras ku dhacay macmiil. Natiijo ahaan, xogta kumbuyuutarka macmiilka waa la siray. Si kastaba ha ahaatee, shaqaaluhu wuxuu ku dhaartay inuusan waxba soo dirin. Iyada oo qayb ka ah baaritaanka shilka, adeegga amniga ganacsigu waxa uu ka codsadaa maamulaha nidaamka in server-ka boostada uu diiwaangeliyo Sebtembar 20 ee la xiriirta isticmaalaha la baarayo. Waad ku mahadsan tahay shaambada wakhtiga, maamulaha nidaamku wuxuu helaa faylka log ee lagama maarmaanka ah, wuxuu soo saaraa macluumaadka lagama maarmaanka ah wuxuuna u gudbiyaa khabiirada amniga. Kuwaas, iyaguna, waxay eegaan oo ogaadaan in cinwaanka IP-ga ee warqaddan laga soo diray uu u dhigmo ciwaanka IP-ga ee kombiyuutarka isticmaalaha. Muuqaalka CCTV ayaa xaqiijiyay in shaqaalaha uu ku sugnaa goobtiisa shaqada markii warqadda la dirayay. Xogtan ayaa ku filnayd in lagu eedeeyo inuu ku xad-gudbay xeerarka amniga macluumaadka oo uu shaqada ka ceyriyay.
Tusaalaha soo saarista diiwaanada ku saabsan mid ka mid ah xisaabaadka laga soo bilaabo Mailbox.log gal gal gaar ah
Wax kastaa aad bay u dhib badan yihiin marka ay timaado kaabayaasha server-yada badan. Maaddaama logu soo ururiyo gudaha, la shaqaynta iyaga ee kaabayaasha badan ee server-yada waa mid aad u dhib badan sidaas darteed waxaa loo baahan yahay in la dhexdhexaadiyo ururinta log. Tan waxaa lagu samayn karaa iyada oo la samaynayo martigeliyaha si ay u ururiyaan logyada. Ma jirto baahi gaar ah oo lagu daro martigeliyaha u go'ay kaabayaasha. Seerfar kasta oo boosto ah ayaa u shaqayn kara sidii udubka ururinta diiwaannada. Xaaladeena, tani waxay noqon doontaa noodhka Mailstore01.
Serfarkan waxaan u baahanahay inaan galno amarrada soo socda:
sudo su β zimbra
zmcontrol stop
exit
sudo /opt/zimbra/libexec/zmfixperms -e -vTafatir faylka /etc/sysconfig/rsyslog, oo deji SYSLOGD_OPTIONS=β-r -c 2β³
Tafatir /etc/rsyslog.conf oo faallo ka bixi khadadka soo socda:
$ModLoad imudp
$UDPServerRun 514
Geli amarradan soo socda:
sudo /etc/init.d/rsyslog stop
sudo /etc/init.d/rsyslog start
sudo su β zimbra
zmcontrol start
exit
sudo /opt/zimbra/libexec/zmloggerinit
sudo /opt/zimbra/bin/zmsshkeygen
sudo /opt/zimbra/bin/zmupdateauthkeysWaxaad hubin kartaa in wax walba ay shaqeynayaan adoo isticmaalaya amarka zmprov gacf | grep zimbraLogHostname. Kadib fulinta amarka, magaca martida loo yahay ee aruuriya diiwaannada waa in la soo bandhigaa. Si aad u bedesho, waa inaad gelisaa amarka zmprov mcf zimbraLogHostname mailstore01.company.ru.
Dhammaan server-yada kaabayaasha kale (LDAP, MTA iyo dukaamada kale ee boostada), ku socodsii amarka zmprov gacf | grep zimbraLogHostname si aad u aragto magaca martida loo yahay ee loo soo diray. Si aad u bedesho, waxa kale oo aad geli kartaa amarka zmprov mcf zimbraLogHostname mailstore01.company.ru
Waa inaad sidoo kale gelisaa amarradan soo socda server kasta:
sudo su - zimbra
/opt/zimbra/bin/zmsshkeygen
/opt/zimbra/bin/zmupdateauthkeys
exit
sudo /opt/zimbra/libexec/zmsyslogsetup
sudo service rsyslog restart
sudo su - zimbra
zmcontrol restartTaas ka dib, dhammaan diiwaannada waxaa lagu qori doonaa server-ka aad sheegtay, halkaas oo si habboon loo arki karo. Sidoo kale, gudaha Zimbra OSE console maamulaha, shaashadda oo leh macluumaadka ku saabsan heerka adeegayaasha, adeegga Logger ee socda ayaa loo soo bandhigi doonaa oo keliya server-ka mailstore01.
Madax xanuunka kale ee maamulaha ayaa noqon kara la socodka iimaylka gaarka ah. Maaddaama iimaylada ku jira Zimbra OSE ay maraan dhowr dhacdo oo kala duwan hal mar: iskaan ka-qaadista fayraska, antispam, iyo wixii la mid ah, ka hor inta aan la aqbalin ama loo dirin, maamulaha, haddii iimaylka uusan imaan, waxay noqon kartaa dhib badan in la raadiyo marxaladdee. way luntay .
Si loo xalliyo dhibaatadan, waxaad isticmaali kartaa qoraal gaar ah, kaas oo uu sameeyay khabiir ku takhasusay amniga macluumaadka Viktor Dukhovny oo lagu taliyay in loo isticmaalo horumarinta Postfix. Qoraalkani waxa uu isku xidhaa gelinta diiwaannada habraac gaar ah, tan awgeed, waxa ay kuu ogolaanaysaa in aad si degdeg ah u soo bandhigto dhammaan qoraallada la xidhiidha dirida warqad gaar ah oo ku salaysan aqoonsigeeda. Shaqadeeda waxaa lagu tijaabiyay dhammaan noocyada Zimbra OSE, laga bilaabo 8.7. Waa kan qoraalka qoraalka.
#! /usr/bin/perl
use strict;
use warnings;
# Postfix delivery agents
my @agents = qw(discard error lmtp local pipe smtp virtual);
my $instre = qr{(?x)
A # Absolute line start
(?:S+ s+){3} # Timestamp, adjust for other time formats
S+ s+ # Hostname
(postfix(?:-[^/s]+)?) # Capture instance name stopping before first '/'
(?:/S+)* # Optional non-captured '/'-delimited qualifiers
/ # Final '/' before the daemon program name
};
my $cmdpidre = qr{(?x)
G # Continue from previous match
(S+)[(d+)]:s+ # command[pid]:
};
my %smtpd;
my %smtp;
my %transaction;
my $i = 0;
my %seqno;
my %isagent = map { ($_, 1) } @agents;
while (<>) {
next unless m{$instre}ogc; my $inst = $1;
next unless m{$cmdpidre}ogc; my $command = $1; my $pid = $2;
if ($command eq "smtpd") {
if (m{Gconnect from }gc) {
# Start new log
$smtpd{$pid}->{"log"} = $_; next;
}
$smtpd{$pid}->{"log"} .= $_;
if (m{G(w+): client=}gc) {
# Fresh transaction
my $qid = "$inst/$1";
$smtpd{$pid}->{"qid"} = $qid;
$transaction{$qid} = $smtpd{$pid}->{"log"};
$seqno{$qid} = ++$i;
next;
}
my $qid = $smtpd{$pid}->{"qid"};
$transaction{$qid} .= $_
if (defined($qid) && exists $transaction{$qid});
delete $smtpd{$pid} if (m{Gdisconnect from}gc);
next;
}
if ($command eq "pickup") {
if (m{G(w+): uid=}gc) {
my $qid = "$inst/$1";
$transaction{$qid} = $_;
$seqno{$qid} = ++$i;
}
next;
}
# bounce(8) logs transaction start after cleanup(8) already logged
# the message-id, so the cleanup log entry may be first
#
if ($command eq "cleanup") {
next unless (m{G(w+): }gc);
my $qid = "$inst/$1";
$transaction{$qid} .= $_;
$seqno{$qid} = ++$i if (! exists $seqno{$qid});
next;
}
if ($command eq "qmgr") {
next unless (m{G(w+): }gc);
my $qid = "$inst/$1";
if (defined($transaction{$qid})) {
$transaction{$qid} .= $_;
if (m{Gremoved$}gc) {
print delete $transaction{$qid}, "n";
}
}
next;
}
# Save pre-delivery messages for smtp(8) and lmtp(8)
#
if ($command eq "smtp" || $command eq "lmtp") {
$smtp{$pid} .= $_;
if (m{G(w+): to=}gc) {
my $qid = "$inst/$1";
if (defined($transaction{$qid})) {
$transaction{$qid} .= $smtp{$pid};
}
delete $smtp{$pid};
}
next;
}
if ($command eq "bounce") {
if (m{G(w+): .*? notification: (w+)$}gc) {
my $qid = "$inst/$1";
my $newid = "$inst/$2";
if (defined($transaction{$qid})) {
$transaction{$qid} .= $_;
}
$transaction{$newid} =
$_ . $transaction{$newid};
$seqno{$newid} = ++$i if (! exists $seqno{$newid});
}
next;
}
if ($isagent{$command}) {
if (m{G(w+): to=}gc) {
my $qid = "$inst/$1";
if (defined($transaction{$qid})) {
$transaction{$qid} .= $_;
}
}
next;
}
}
# Dump logs of incomplete transactions.
foreach my $qid (sort {$seqno{$a} <=> $seqno{$b}} keys %transaction) {
print $transaction{$qid}, "n";
}Qoraalku wuxuu ku qoran yahay Perl si aad u socodsiiso waxaad u baahan tahay inaad ku kaydiso fayl isku duubni.pl, ka dhig mid la fulin karo, ka dibna socodsii faylka qeexaya faylka log oo isticmaalaya pgrep si aad u soo saarto macluumaadka aqoonsiga xarafka aad raadineyso collate.pl /var/log/zimbra.log | pgrep'[emailka waa la ilaaliyay]>β. Natiijadu waxay noqon doontaa soo-saar isdaba-joog ah oo khadadka ka kooban macluumaadka ku saabsan dhaqdhaqaaqa xarafka server-ka.
# collate.pl /var/log/zimbra.log | pgrep '<[email protected]>'
Oct 13 10:17:00 mail postfix/pickup[4089]: 4FF14284F45: uid=1034 from=********
Oct 13 10:17:00 mail postfix/cleanup[26776]: 4FF14284F45: message-id=*******
Oct 13 10:17:00 mail postfix/qmgr[9946]: 4FF14284F45: from=********, size=1387, nrcpt=1 (queue active)
Oct 13 10:17:00 mail postfix/smtp[7516]: Anonymous TLS connection established to mail.*******[168.*.*.4]:25: TLSv1 with cipher ADH-AES256-SHA (256/256 bits)
Oct 13 10:17:00 mail postfix/smtp[7516]: 4FF14284F45: to=*********, relay=mail.*******[168.*.*.4]:25, delay=0.25, delays=0.02/0.02/0.16/0.06, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 878833424CF)
Oct 13 10:17:00 mail postfix/qmgr[9946]: 4FF14284F45: removed
Oct 13 10:17:07 mail postfix/smtpd[21777]: connect from zimbra.******[168.*.*.4]
Oct 13 10:17:07 mail postfix/smtpd[21777]: Anonymous TLS connection established from zimbra.******[168.*.*.4]: TLSv1 with cipher ADH-AES256-SHA (256/256 bits)
Oct 13 10:17:08 mail postfix/smtpd[21777]: 0CB69282F4E: client=zimbra.******[168.*.*.4]
Oct 13 10:17:08 mail postfix/cleanup[26776]: 0CB69282F4E: message-id=zimbra.******
Oct 13 10:17:08 mail postfix/qmgr[9946]: 0CB69282F4E: from=zimbra.******, size=3606, nrcpt=1 (queue active)
Oct 13 10:17:08 mail postfix/virtual[5291]: 0CB69282F4E: to=zimbra.******, orig_to=zimbra.******, relay=virtual, delay=0.03, delays=0.02/0/0/0.01, dsn=2.0.0, status=sent (delivered to maildir)
Oct 13 10:17:08 mail postfix/qmgr[9946]: 0CB69282F4E: removedDhammaan su'aalaha la xiriira Zextras Suite, waxaad kula xiriiri kartaa wakiilka Zextras Ekaterina Triandafilidi e-mail [emailka waa la ilaaliyay]
Source: www.habr.com