Log Formats

March 26, 2020 Contributors

acctlog

The acctlog contains both authentication entries and authorization entries for the ESMTP_Listener and Control_Listener. It is configured in the ec_logger module.

Authentication Records

If enabled for the listener, authentication events for Unix domain sockets are logged one per line. The log entry is an @ delimited string, such as the following:

[email protected]@/tmp/[email protected]@[email protected]

If enabled for the listener, authentication events for TCP/IP listeners are logged one per line. The log entry is an @ delimited string, such as the following:

[email protected]@*:[email protected]:[email protected][email protected]

Note that @, \, \n and other control characters appearing in a field are escaped by adding an \ before them.

The following is a description of the fields:

Offset Example Field Description
0 1160172232 Date of authentication in Unix timestamp format (seconds since 00:00:00 Jan 1, 1970)
1 N N indicating an authentication entry or T indicating an authentication timeout
2 *:2025 Listener endpoint on which the event occurred
3 10.80.116.126:37164 IP and port of the peer (For Unix domain connections, this field will be empty.)
4 ec_user User name used for the authentication
5 1 1 indicates the authentication is successful; 0 otherwise.

Authorization Records

A line is written to acctlog for every authorization event. The log entry is an @ delimited string, such as the following:

[email protected]@/tmp/[email protected]@[email protected]@[email protected]
[email protected]@/tmp/[email protected]@[email protected]@shutdown
[email protected]@*:[email protected]:[email protected]@[email protected]@users
[email protected]@*:[email protected]:[email protected]@[email protected]

Note that @, \, \n and other control characters appearing in a field are escaped by adding an \ before them.

The following is a description of the fields:

Offset Example Field Description
0 1160172219 Date of authorization in Unix timestamp format (seconds since 00:00:00 Jan 1, 1970)
1 Z Z indicating an authorization entry
2 /tmp/2025 or *:2025 Listener endpoint on which the event occurred
3 10.80.116.126:37162 IP and port of the peer (For Unix domain connections this field will be blank.)
4 ec_user User name used for the authentication
5 1 1 indicates the user is authorized to run the command; 0 indicates the authorization failed; -1 indicates some error occurred during authorization.
6 summary Command that was requested to run
7 users Role that matched during successful authorization

Note

The ? type indicator denotes an unknown acctlog type.