PO log file question

I seeing this in the PO log (11:10:48 ECB3 C/S Login Linux ::GW Id=Thom_Spicer :: 10.1.0.5 ) trying to understand if this is coming from webacc, GWIA or GW client login?

Tags:

  • WebAccess is mediated by SOAP
    GWIA would show IMAP / POP
    The rest are GroupWise clients. This seems to be indicating a Linux client.

    Example:

    0910poa.017:13:32:15 ECFF SOAP command:[loginRequest] requested from 192.168.2.64   User session(roger) <-- DataSync or WebAccess
    0910poa.017:13:32:20 E85F C/S Login GWIA/Imap ::GW Id=Ben :: 10.2.2.222 [192.168.2.59] <--GWIA
    0910poa.017:13:32:13 E7AF C/S Login Windows Net Id=Joe ::GW Id=Joe :: 192.168.2.67 <-- Initial login by Joe on Windows Client
    0910poa.017:13:32:21 E85F C/S Login Windows ::GW Id=Support :: 192.168.2.67 <-- Joe's Windows Client, accessing Support's account

    0910poa.017:13:39:53 EFB8 C/S Login Linux Net Id=Bob ::GW Id=Bob :: 192.168.2.158 <-- Me from my Linux desktop
    0910poa.017:13:39:59 E6DF C/S Login Linux ::GW Id=Logger :: 192.168.2.158 <-- Me, accessing a shared folder from Logger
    0


    So in your case you need to look UP in the logs to see who is accessing some shared folder, or address book shared from Mr. Spicer so look for any activity from 10.1.0.5 and look for the primary login event. Any type of sharing will show up this way.

    -- Bob
  • 10.1.0.5 is our webacc and GWIA server, I have some users getting account locked from that IP address. None of them are using Linux desktop. I thought someone might be trying to brute force the user password I was wanting to find out what ip address it was coming from. But since the IP address is from our server not sure what is causing this and not sure which log file to check.
    09:53:01 EC5A C/S Login Linux ::GW Id=TSpicer :: 10.1.0.5
    09:53:04 ECA3 LDAP Error: 49 (TSpicer)
    09:53:04 ECA3 LDAP Error: Invalid credentials (TSpicer)
    09:53:04 ECA3 Error: Invalid password [D019] User:TSpicer (TSpicer)
  • Do you have an archiving solution, or some other things on the server which might be active? Is this user mailbox located on this server or another POA? And just to be clear, what version of GW is this?

    -- Bob
  • We have gava retain and gava reload, it runs at night. The user mailbox is on another POA the 10.1.0.5 is just webacc and GWIA. We are are using groupwise 2012
  • We have gwava retain and gwava reload, it runs at night. The user mailbox is on another POA the 10.1.0.5 is just webacc and GWIA. We are are using groupwise 2012
  • In article <data5248.61i8kq@no-mx.forums.novell.com>, Data5248 wrote:
    > We are are using groupwise 2012
    >

    and which patch/build level is it that you are running?
    And what OS are you running it on?
    If Linux, the command of
    rpm -qa |grep groupwise
    will give a good answer to just cut 'n paste here.


    Andy Konecny
    Knowledge Partner (voluntary SysOp)
    KonecnyConsulting.ca in Toronto
    ----------------------------------------------------------------------
    Andy's Profile: http://forums.novell.com/member.php?userid=75037


  • novell-groupwise-admin-12.0.1-103731
    novell-groupwise-gwha-12.0.1-103731
    novell-groupwise-dbcopy-12.0.1-103731
    novell-groupwise-gwdva-12.0.1-103731
    novell-groupwise-agents-12.0.1-103731

    POA is running oes 11sp1
    webacc and GWIA SLES 11sp2
  • I'm still seeing this Login Linux on several users and felling on the password.

    13:46:58 EC7B C/S Login Linux ::GW Id=AHartsfield :: 10.1.0.5
    13:47:01 EC7B LDAP Error: 49 (AHartsfield)
    13:47:01 EC7B LDAP Error: Invalid credentials (AHartsfield)
    13:47:01 EC7B Error: Invalid password [D019] User:AHartsfield (AHartsfield)
    13:47:01 E1DF *** APP DISCONNECTED, Tbl Entry=389, Check ID=1378801211
    13:47:02 E1DF *** NEW APP CONNECTION, Tbl Entry=389, Check ID=1378801212
    13:47:02 E1DF C/S Login GWIA/Imap ::GW Id=tickets :: 10.1.0.8 [10.1.0.5]
    13:47:02 ECB3 Notifying client at: 10.98.30.33 UDP port 1127
    13:47:02 ECB3 Notifying client at: 10.98.30.33 UDP port 1123

    14:15:42 E1DF C/S Login Linux ::GW Id=ROwens :: 10.1.0.5
    14:15:44 EBAF Processing update: item record (aroethler)
    14:15:44 EC72 Notifying client at: 10.3.130.217 UDP port 1163
    14:15:44 EC72 Notifying client at: 10.3.130.217 UDP port 1167
    14:15:44 EC72 Notifying client at: 10.3.129.115 UDP port 1147
    14:15:44 EBAF Purge Execution Record #16948 (aroethler)
    14:15:45 E1DF LDAP Error: 49 (ROwens)
    14:15:45 E1DF LDAP Error: Invalid credentials (ROwens)
    14:15:45 E1DF Error: Invalid password [D019] User:ROwens (ROwens)
    14:15:45 EC7B *** NEW APP CONNECTION, Tbl Entry=59, Check ID=1378801545
    14:15:45 ECBB *** APP DISCONNECTED, Tbl Entry=462, Check ID=1378801544
    14:15:45 EC7B C/S Login Windows ::GW Id=smalugin :: 10.1.0.14
    14:15:46 EC7B Opening remote C/S session for: smalugin
    14:15:46 DEFF *** NEW APP CONNECTION, Tbl Entry=462, Check ID=1378801546
    14:15:46 EC7B Sending file to remote client.

    Just want to post more of the log and see if anyone has any ideal why it is doing this.
  • In article <data5248.61m66y@no-mx.forums.novell.com>, Data5248 wrote:
    > novell-groupwise-*-12.0.1-103731
    >

    Patching to SP2 of GroupWise would be my first shot at this.

    Are you using the LDAP interface on your GWIA? If not make sure it is
    turned off.
    Are you authenticating users via LDAP or normal built in GroupWise?



    Andy Konecny
    Knowledge Partner (voluntary SysOp)
    KonecnyConsulting.ca in Toronto
    ----------------------------------------------------------------------
    Andy's Profile: http://forums.novell.com/member.php?userid=75037