Introduction
Email logins are logged in these three files: (There is some overlap between the information logged by these files):
/var/log/maillog
/usr/local/cpanel/logs/session_log
/usr/local/cpanel/logs/login_log
With the help of the following command you can extract all the logins to any of the email accounts on the server recorded in the above log files:
{ grep -Ei "login:" /var/log/maillog | awk '{print $1 " " $2 " " $3 " " $10 " " $8 }' | sed 's/rip=//g;s/,//g' && grep -Ei "\[webmaild\]" /usr/local/cpanel/logs/session_log* | awk '{print $1 " " $2 " " $6 " " $8}' | cut -d"[" -f 2 | sort | uniq && grep -Ei "\[webmaild\]" /usr/local/cpanel/logs/login_log* | awk '{print $1 " " $2 " " $6 " " $8}' | cut -d"[" -f 2 | sort | uniq; }
Here is a sample output from the above command:
2020-12-20 09:38:29 10.3.17.240 cptest2@cptest.tld
2020-12-20 10:05:19 10.3.17.240 cptest2@cptest.tld
2021-03-04 09:42:40 10.3.17.193 test@mytestcp.tld
As you can see the command lists the timestamp, the remote IP address and the email account for each login attempt respectively.
Comments
0 comments
Article is closed for comments.