3
Which log records webmail access ?
Question asked by Ubiquitas - 9/8/2014 at 4:29 AM
Unanswered
Hello
 
One of my clients has had their laptop stolen which connected to SM via IMAP.
 
Since the theft they have only used Webmail
 
The IMAP log is still recording entries for their account.
 
Question - am I correct in assuming this would be the stolen laptop trying to connect? Do webmail connections get recorded in another log ? there is a limited amount of time before the battery dies on the laptop, so any help appreciated.

7 Replies

Reply to Thread
0
Bruce Barnes Replied
 
If you have enabled webmail access, it will appear under the IIS logs - and this is where it becomes complicated.
 
To find the logs, you will have to go into the IIS configuration for your instance of SmarterMail and look up the PATCH used for the logs.  There will also be a "serial number" for the logs and they will be located within the path indicated by IIS, under the serial number assigned for the installation in a file called logs, just like any other IIS log.
 

Here's an image from an IIS 6 SmarterMail installation:

 
 
In this case, I opened IIS, went to the SmarterMail host config settings, RIGHT CLICKED on the drop-down which opened, and selected PROPERTIES:
 
 
This opened the following window:
 
and, staying on the Web Site tab, I went to the BOTTOM of the window and saw the following:
 
 
Next, I clicked on PROPERTIES and see the following window:
 
and this tells me that the LOGS, for this incidence of SmarterMail, running under IIS, are located at:
 
D:\SmarterMail\Logs\W3SVC892963906 and are placed into daily log files, using the EXTENDED LOG FORMAT,  which are named as: EXYYMMDD.LOG
 
In MOST CASES, unless this has been modified by the installer, the log files will be hidden in a sub-directory on the "C" drive.
 
NOTE:  While the original question was specific to locating the log files, it should be understood that LOGS are something which need to be periodically maintained, whether for SmarterMail, other IIS hosted websites, or FTP logs, or your log files will quickly fill up a hard drive!
 
 

If you are running under IIS 7 or IIS 8, the process is a bit different in locating the logs:

Click the Server Manager tile, and then click OK.  
 
In Server Manager, click the Tools menu, and then click Internet Information Services (IIS) Manager
 
In the Connections tree view, select your website
 
In Features View, double-click Logging.
 
IIS: to use the Microsoft IIS log file format to log information about a site. This format is handled by HTTP.sys, and is a fixed ASCII text-based format, which means that you cannot customize the fields that are logged. Fields are separated by commas, and time is recorded as local time. For more information about the IIS log file format, see IIS Log File Format (IIS 6.0).
 
 
 
One of the shortcomings of IIS 7 and IIS 8, is that the LOG configuration does NOT tell you what sub-directory your logs will be placed into so you have to do some searching from there.
 

If you are running under the SmarterMail web interface, there will be almost no logging.  Remember, the SmarterMail web interface is designed only for the installation process and configuration.

Once SmarterMail has been installed, the SmarterMail should be transitioned to IIS and the SmarterMail web interface should be disabled.
 
Bruce Barnes
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
Bruce Barnes Replied
IMAP connections are logged in the IMAP LOGS, within SmarterMail. IMAP logs must be set for DETAILED, or there will be very little information available in them.

At the very least, the POP, SMTP, IMAP, and DELIVERY LOGS should all be set to detailed. We also keep our WEBDAV, ACTIVESYNC and ADMINISTRATIVE logs set to detailed so we can quickly find and diagnose issues.

For information on where to get detailed information on the IIS connections, see my post on the IIS logs below.
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
Ubiquitas Replied
thanks Bruce - they are set to detailed already - it confirms my suspicion that the laptop is still powered up, screen locked, with outlook connecting (or at least trying) via IMAP
0
Bruce Barnes Replied
There are several IP geolocator services which may be able to help pinpoint the location of the laptop. Of course, they depend on the IPs being properly allocated by the company which is handing them out.

This link might help: https://www.google.com/?gws_rd=ssl#q=ip%20address%20geolocation%20database
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
Ubiquitas Replied
already on it :) can't say too much more but I think the laptop is VERY close to home!
0
CCC Replied
One of the shortcomings of IIS 7 and IIS 8, is that the LOG configuration does NOT tell you what sub-directory your logs will be placed into so you have to do some searching from there.
While IIS7 & IIS8 do not display the log path for each site in the GUI, it can be derived by determining the ID# of the website in question.  Each of the web sites configured on the server are assigned a numerical ID by IIS when they are created.
 
If you click on the "Sites" container in the left panel of IIS manager, the right panel will display a list of the sites and their ID numbers.
 
The "Default web site" that gets created on a default IIS install gets the first ID number (ID 1), the next one you create is ID 2, and so forth.  
The logfiles will get stored in a subfolder based on the web site ID. (W3SVC1 = logs for site ID 1, W3SVC2 = logs for site ID 2, etc)
 
You can also get the same information from powershell
 
Import-Module WebAdministration
Get-ChildItem -Path IIS:\Sites
 
 
 
2
Webio Replied
 
Vote up. On the other hand SM 16 will be totally rewriten for all functionality being performed using API so this gives us a chance to have better logging for webmail actions.

Reply to Thread