From I.Elston at bolton.ac.uk Thu Mar 28 16:53:02 2024 From: I.Elston at bolton.ac.uk (Elston, Ian) Date: Thu, 28 Mar 2024 16:53:02 +0000 Subject: [ZendTo] Interesting issue with historical logging/resurrecting old zendto from backup References: Message-ID: Had an interesting issue the last couple of days, wondered if anyone had run into similar. As high-up user asked me if there was a way of checking the activity around a particular drop off, what was uploaded when, and downloaded when by who. This was back at the end of Jan. We delete drop-offs after 7 days. The zendto.log on the live server did not go back far enough (maybe I need to amend my log rotation settings here...) so I restored the logs off a backup from within 7 days of the drop-off being made. I knew the uploader and the recipient, so I was able to find the drop-off ID and therefore all the corresponding log entries. >From zendto.log I was able to ascertain the time of upload, the IP Address of the upload, the fact there were 3 files in the upload (but not the filenames), and that the email was sent to the recipient. I could then determine when the files were downloaded and from what IP Address. Either 1 single file was downloaded, or the entire drop-off in an entire zip file. So I know for certain the name of ONE of the files. What I've been asked is if I can evidence the names of the files which were uploaded, as the user recalls there should've been 4. I've tried to recover the server from backup within that 7day period, changed it's IP, switched from SAML to local authenticator, and I can log in as a local user who is an admin. BUT the zendto.log is empty aside from today's entries, and there are no drop-offs listed, but in the filesystem there are drop-offs, including the one I'm interested in in /var/zendto/drop-offs I'm assuming the filenames are randomised in the filesystem for privacy, which I sort of understand. What I don't get is why my zendto log is empty, and I have no drop-offs in the UI. ----------------------------------------------- Ian Elston Senior Networks officer Information Systems & Technology The University of Bolton http://www.bolton.ac.uk [University of Bolton] This email (and any attachments) is confidential and may contain personal views which are not the views of the University of Bolton unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose information in any way nor act in reliance on it and notify the sender immediately. Please note the University of Bolton monitors emails sent or received. Further communication will signify your consent to this. From deq at pattishall.com Thu Mar 28 16:57:00 2024 From: deq at pattishall.com (Dale E. Qualls) Date: Thu, 28 Mar 2024 16:57:00 +0000 Subject: [ZendTo] Interesting issue with historical logging/resurrecting old zendto from backup !!NOSIG!! !!NOADV!! References: Message-ID: Maybe the log rotation happened upon the server updating it?s date/time via NTP on bootup and since it was more than 7 days old based on current time it rotated them? Just a thought. [http://images.pattishall.com/images/pattishalllogo.jpg] Dale E. Qualls Director of Information Technology Pattishall, McAuliffe, Newbury, Hilliard & Geraldson LLP 200 South Wacker Drive, Suite 2900 Chicago, IL 60606-5896 Direct: (312) 554-7979 Main: (312) 554-8000 Fax: (312) 554-8015 deq at pattishall.com www.pattishall.com ________________________________ The preceding message and any attachments may contain confidential information protected by the attorney-client or other privilege. You may not forward this message or any attachments without the permission of the sender. If you believe that it has been sent to you in error, please reply to the sender that you received the message in error and then delete it. Nothing in this email message, including the typed name of the sender and/or this signature block, is intended to constitute an electronic signature unless a specific statement to the contrary is included in the message. ________________________________ From: ZendTo On Behalf Of Elston, Ian via ZendTo Sent: Thursday, March 28, 2024 11:53 AM To: ZendTo Users Cc: Elston, Ian Subject: [ZendTo] Interesting issue with historical logging/resurrecting old zendto from backup External email, exercise caution. Had an interesting issue the last couple of days, wondered if anyone had run into similar. As high-up user asked me if there was a way of checking the activity around a particular drop off, what was uploaded when, and downloaded when by who. This was back at the end of Jan. We delete drop-offs after 7 days. The zendto.log on the live server did not go back far enough (maybe I need to amend my log rotation settings here...) so I restored the logs off a backup from within 7 days of the drop-off being made. I knew the uploader and the recipient, so I was able to find the drop-off ID and therefore all the corresponding log entries. From zendto.log I was able to ascertain the time of upload, the IP Address of the upload, the fact there were 3 files in the upload (but not the filenames), and that the email was sent to the recipient. I could then determine when the files were downloaded and from what IP Address. Either 1 single file was downloaded, or the entire drop-off in an entire zip file. So I know for certain the name of ONE of the files. What I've been asked is if I can evidence the names of the files which were uploaded, as the user recalls there should've been 4. I've tried to recover the server from backup within that 7day period, changed it's IP, switched from SAML to local authenticator, and I can log in as a local user who is an admin. BUT the zendto.log is empty aside from today's entries, and there are no drop-offs listed, but in the filesystem there are drop-offs, including the one I'm interested in in /var/zendto/drop-offs I'm assuming the filenames are randomised in the filesystem for privacy, which I sort of understand. What I don't get is why my zendto log is empty, and I have no drop-offs in the UI. ----------------------------------------------- Ian Elston Senior Networks officer Information Systems & Technology The University of Bolton http://www.bolton.ac.uk [University of Bolton]> This email (and any attachments) is confidential and may contain personal views which are not the views of the University of Bolton unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose information in any way nor act in reliance on it and notify the sender immediately. Please note the University of Bolton monitors emails sent or received. Further communication will signify your consent to this. _______________________________________________ ZendTo mailing list ZendTo at zend.to http://jul.es/mailman/listinfo/zendto -------------- next part -------------- An HTML attachment was scrubbed... URL: From I.Elston at bolton.ac.uk Thu Mar 28 17:05:04 2024 From: I.Elston at bolton.ac.uk (Elston, Ian) Date: Thu, 28 Mar 2024 17:05:04 +0000 Subject: [ZendTo] Interesting issue with historical logging/resurrecting old zendto from backup !!NOSIG!! !!NOADV!! In-Reply-To: References: Message-ID: Yeah mine too. Not sure how I can stop that from happening since I need it on the network to access it. ----------------------------------------------- Ian Elston Senior Networks officer Information Systems & Technology The University of Bolton http://www.bolton.ac.uk -----Original Message----- From: Dale E. Qualls Sent: 28 March 2024 16:57 To: 'ZendTo Users' Cc: Elston, Ian Subject: RE: Interesting issue with historical logging/resurrecting old zendto from backup !!NOSIG!! !!NOADV!! You don't often get email from deq at pattishall.com. Learn why this is important WARNING: This message originated from outside the University. Use caution when following links or opening attachments. Maybe the log rotation happened upon the server updating it?s date/time via NTP on bootup and since it was more than 7 days old based on current time it rotated them? Just a thought. Dale E. Qualls Director of Information Technology Pattishall, McAuliffe, Newbury, Hilliard & Geraldson LLP 200 South Wacker Drive, Suite 2900 Chicago, IL 60606-5896 Direct: (312) 554-7979 Main: (312) 554-8000 Fax: (312) 554-8015 deq at pattishall.com www.pattishall.com ________________________________ The preceding message and any attachments may contain confidential information protected by the attorney-client or other privilege. You may not forward this message or any attachments without the permission of the sender. If you believe that it has been sent to you in error, please reply to the sender that you received the message in error and then delete it. Nothing in this email message, including the typed name of the sender and/or this signature block, is intended to constitute an electronic signature unless a specific statement to the contrary is included in the message. ________________________________ From: ZendTo On Behalf Of Elston, Ian via ZendTo Sent: Thursday, March 28, 2024 11:53 AM To: ZendTo Users Cc: Elston, Ian Subject: [ZendTo] Interesting issue with historical logging/resurrecting old zendto from backup External email, exercise caution. Had an interesting issue the last couple of days, wondered if anyone had run into similar. As high-up user asked me if there was a way of checking the activity around a particular drop off, what was uploaded when, and downloaded when by who. This was back at the end of Jan. We delete drop-offs after 7 days. The zendto.log on the live server did not go back far enough (maybe I need to amend my log rotation settings here...) so I restored the logs off a backup from within 7 days of the drop-off being made. I knew the uploader and the recipient, so I was able to find the drop-off ID and therefore all the corresponding log entries. From zendto.log I was able to ascertain the time of upload, the IP Address of the upload, the fact there were 3 files in the upload (but not the filenames), and that the email was sent to the recipient. I could then determine when the files were downloaded and from what IP Address. Either 1 single file was downloaded, or the entire drop-off in an entire zip file. So I know for certain the name of ONE of the files. What I've been asked is if I can evidence the names of the files which were uploaded, as the user recalls there should've been 4. I've tried to recover the server from backup within that 7day period, changed it's IP, switched from SAML to local authenticator, and I can log in as a local user who is an admin. BUT the zendto.log is empty aside from today's entries, and there are no drop-offs listed, but in the filesystem there are drop-offs, including the one I'm interested in in /var/zendto/drop-offs I'm assuming the filenames are randomised in the filesystem for privacy, which I sort of understand. What I don't get is why my zendto log is empty, and I have no drop-offs in the UI. ----------------------------------------------- Ian Elston Senior Networks officer Information Systems & Technology The University of Bolton http://www.bolton.ac.uk [University of Bolton] This email (and any attachments) is confidential and may contain personal views which are not the views of the University of Bolton unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose information in any way nor act in reliance on it and notify the sender immediately. Please note the University of Bolton monitors emails sent or received. Further communication will signify your consent to this. _______________________________________________ ZendTo mailing list ZendTo at zend.to http://jul.es/mailman/listinfo/zendto [University of Bolton] This email (and any attachments) is confidential and may contain personal views which are not the views of the University of Bolton unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose information in any way nor act in reliance on it and notify the sender immediately. Please note the University of Bolton monitors emails sent or received. Further communication will signify your consent to this. From john.thurston at alaska.gov Thu Mar 28 20:39:24 2024 From: john.thurston at alaska.gov (John Thurston) Date: Thu, 28 Mar 2024 12:39:24 -0800 Subject: [ZendTo] Interesting issue with historical logging/resurrecting old zendto from backup In-Reply-To: References: Message-ID: You need to restore the backup onto a device, and mount that device on a running system. Then you can look at the old logs, database, and filesystem. It may have an operating system on it, but you do NOT want to boot that restored device. As soon as you do, it's going to purge and cleanup all the ancient stuff. -- Do things because you should, not just because you can. John Thurston 907-465-8591 John.Thurston at alaska.gov Department of Administration State of Alaska On 3/28/2024 8:53 AM, Elston, Ian via ZendTo wrote: > I've tried to recover the server from backup within that 7day period, changed it's IP, switched from SAML to local authenticator, and I can log in as a local user who is an admin. BUT the zendto.log is empty aside from today's entries, and there are no drop-offs listed, but in the filesystem there are drop-offs, including the one I'm interested in in /var/zendto/drop-offs -------------- next part -------------- An HTML attachment was scrubbed... URL: