Which log records webmail access ?
Question asked by Miles Badger - September 8, 2014 at 4:29 AM
One of my clients has had their laptop stolen which connected to SM via IMAP.
Since the theft they have only used Webmail
The IMAP log is still recording entries for their account.
Question - am I correct in assuming this would be the stolen laptop trying to connect? Do webmail connections get recorded in another log ? there is a limited amount of time before the battery dies on the laptop, so any help appreciated.

3 Replies

Reply to Thread
If you have enabled webmail access, it will appear under the IIS logs - and this is where it becomes complicated.
To find the logs, you will have to go into the IIS configuration for your instance of SmarterMail and look up the PATCH used for the logs.  There will also be a "serial number" for the logs and they will be located within the path indicated by IIS, under the serial number assigned for the installation in a file called logs, just like any other IIS log.

Here's an image from an IIS 6 SmarterMail installation:

In this case, I opened IIS, went to the SmarterMail host config settings, RIGHT CLICKED on the drop-down which opened, and selected PROPERTIES:
This opened the following window:
and, staying on the Web Site tab, I went to the BOTTOM of the window and saw the following:
Next, I clicked on PROPERTIES and see the following window:
and this tells me that the LOGS, for this incidence of SmarterMail, running under IIS, are located at:
D:\SmarterMail\Logs\W3SVC892963906 and are placed into daily log files, using the EXTENDED LOG FORMAT,  which are named as: EXYYMMDD.LOG
In MOST CASES, unless this has been modified by the installer, the log files will be hidden in a sub-directory on the "C" drive.
NOTE:  While the original question was specific to locating the log files, it should be understood that LOGS are something which need to be periodically maintained, whether for SmarterMail, other IIS hosted websites, or FTP logs, or your log files will quickly fill up a hard drive!

If you are running under IIS 7 or IIS 8, the process is a bit different in locating the logs:

Click the Server Manager tile, and then click OK.  
In Server Manager, click the Tools menu, and then click Internet Information Services (IIS) Manager
In the Connections tree view, select your website
In Features View, double-click Logging.
IIS: to use the Microsoft IIS log file format to log information about a site. This format is handled by HTTP.sys, and is a fixed ASCII text-based format, which means that you cannot customize the fields that are logged. Fields are separated by commas, and time is recorded as local time. For more information about the IIS log file format, see IIS Log File Format (IIS 6.0).
One of the shortcomings of IIS 7 and IIS 8, is that the LOG configuration does NOT tell you what sub-directory your logs will be placed into so you have to do some searching from there.

If you are running under the SmarterMail web interface, there will be almost no logging.  Remember, the SmarterMail web interface is designed only for the installation process and configuration.

Once SmarterMail has been installed, the SmarterMail should be transitioned to IIS and the SmarterMail web interface should be disabled.
Bruce Barnes
Bruce Barnes
ChicagoNetTech Inc

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
One of the shortcomings of IIS 7 and IIS 8, is that the LOG configuration does NOT tell you what sub-directory your logs will be placed into so you have to do some searching from there.
While IIS7 & IIS8 do not display the log path for each site in the GUI, it can be derived by determining the ID# of the website in question.  Each of the web sites configured on the server are assigned a numerical ID by IIS when they are created.
If you click on the "Sites" container in the left panel of IIS manager, the right panel will display a list of the sites and their ID numbers.
The "Default web site" that gets created on a default IIS install gets the first ID number (ID 1), the next one you create is ID 2, and so forth.  
The logfiles will get stored in a subfolder based on the web site ID. (W3SVC1 = logs for site ID 1, W3SVC2 = logs for site ID 2, etc)
You can also get the same information from powershell
Import-Module WebAdministration
Get-ChildItem -Path IIS:\Sites
Vote up. On the other hand SM 16 will be totally rewriten for all functionality being performed using API so this gives us a chance to have better logging for webmail actions.

Reply to Thread