[imp] Tracing webmail activity

Andy Rowan rowan at crssa.rutgers.edu
Tue Dec 7 14:00:18 PST 2004


Caveat: I am not a horde developer, just an admin of a site that uses 
it.  So ... grains of salt could be necessary.

At 08:53 PM 12/6/2004, Mr Urquhardt wrote:
>Running Horde IMP (webmail client), version 3 at a small ISP.
>I need to know what kind of logging is enabled by default for user
>activity.

I believe the default is a file in /tmp named horde.log, but I'm not sure 
because I changed mine ... take a look at horde/config/horde.php, there are 
a bunch of settings in there that control logging.  You can control logging 
in the usual syslog way, with log levels.

>Scenarios:
>1. User logs in and accesses an account from "out there" on the
>internet. Does IMP/Horde log access times, IP addresses and
>individual activity (mails accessed, attachments downloaded etc) in
>that session?

The default log level almost certainly wouldn't get into that detail.  You 
could turn it to debug level and see what you get.


>2. With default settings, is there a period after which such
>information "falls off" and is deleted?

If you're logging to a file and it's in /tmp, probably a reboot wipes it out.

>3. If logging occurs, how do I answer the question of a particular
>user who wants to investigate a potential breach and get information
>of when/where/what was accessed.

If you have logging up to debug level, you're going to want to make some 
filters.  But you could start with grep and less and plow through it that way.

>4. Where (broadly) do I find the settings for customising logging
>features (if any)?

horde/config/horde.php.

And my two cents ... put the log file where the rest of your log files go, 
and put it in your rotation so it gets rolled over in a systematic 
way.   If you wanted to, you could run it through syslog and then keep two 
logs ... one verbose one that gets rotated away sooner, and another less 
verbose that sticks around a while.

-Andy

.



More information about the imp mailing list