Skip to main content

Log Formats

Last updated March 2020

acctlog

The acctlog contains both authentication entries and authorization entries for the ESMTP_Listener and Control_Listener. It is configured in the ec_logger module.

Authentication Records

If enabled for the listener, authentication events for Unix domain sockets are logged one per line. The log entry is an @ delimited string, such as the following:

1160503808@N@/tmp/2025@@ec-user@1

If enabled for the listener, authentication events for TCP/IP listeners are logged one per line. The log entry is an @ delimited string, such as the following:

1160172232@N@*:2025@10.80.116.126:37164@ec_user@1

Note that @, \, \n and other control characters appearing in a field are escaped by adding an \ before them.

The following is a description of the fields:

OffsetExample FieldDescription
01160172232Date of authentication in Unix timestamp format (seconds since 00:00:00 Jan 1, 1970)
1NN indicating an authentication entry or T indicating an authentication timeout
2*:2025Listener endpoint on which the event occurred
310.80.116.126:37164IP and port of the peer (For Unix domain connections, this field will be empty.)
4ec_userUser name used for the authentication
511 indicates the authentication is successful; 0 otherwise.

Authorization Records

A line is written to acctlog for every authorization event. The log entry is an @ delimited string, such as the following:

1160503811@Z@/tmp/2025@@ec-user@1@summary@users
1160504707@Z@/tmp/2025@@ec-user@0@shutdown
1160172223@Z@*:2025@10.80.116.126:37162@ec-user@1@summary@users
1160172219@Z@*:2025@10.80.116.126:37162@ec-user@0@shutdown

Note that @, \, \n and other control characters appearing in a field are escaped by adding an \ before them.

The following is a description of the fields:

OffsetExample FieldDescription
01160172219Date of authorization in Unix timestamp format (seconds since 00:00:00 Jan 1, 1970)
1ZZ indicating an authorization entry
2/tmp/2025 or *:2025Listener endpoint on which the event occurred
310.80.116.126:37162IP and port of the peer (For Unix domain connections this field will be blank.)
4ec_userUser name used for the authentication
511 indicates the user is authorized to run the command; 0 indicates the authorization failed; -1 indicates some error occurred during authorization.
6summaryCommand that was requested to run
7usersRole that matched during successful authorization

Note

The ? type indicator denotes an unknown acctlog type.

Was this page helpful?