How to tell if an admin has read a message from someones archive - mailbox.log?

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
Shane Herman
Posts: 1
Joined: Sat Sep 13, 2014 3:05 am

How to tell if an admin has read a message from someones archive - mailbox.log?

Post by Shane Herman »

Hi,
I need to know if there is a way that I can tell if one of my admins has accessed read an email from one of our executive's archive account. I've been reading through the "mailbox.log" and I can see that he accessed her archives, but I need to know which message he has opened or read. It doesn't appear that I can link any entry in the mailbox.log file to a particular message.
Is there something I'm missing? Is there a better log file I should check out? Any help would be appreciated as this man's job is at risk.
Thanks!
Shane
Rich Graves
Outstanding Member
Outstanding Member
Posts: 687
Joined: Fri Sep 12, 2014 10:24 pm

How to tell if an admin has read a message from someones archive - mailbox.log?

Post by Rich Graves »

Sorry to hear that such an accusation is in play. Not fun for anyone.
log/access_log.2013-(current date) is the web server log. It won't tell you what message was read (unless they used the "Standard HTML," "Mobile," or "Print View" clients, which is unlikely), but it will give you a slightly better idea how active they were.
As you've seen, message deletions are recorded, but reads are not (unless you have played with Log Files - Zimbra :: Wiki which you cannot do retroactively).
Oh! If the snooper changed the message's read/unread flags, and if no later event changed any flag, then the timestamp would be recorded in the mail_item table. You're going to need to spend a fair amount of time reading wiki articles to figure out how to trace an account to a mboxgroup and mailbox_id, and then select the row for the mail_item_it. Good luck.
Note that it's certainly possible to see a message by accident while doing legitimate work. Some pane layouts have the effect of auto-opening the most recent message, after all. If he had no business being in the account at all, and you're just assessing how bad the damage was, then again, good luck and make sure you (not just the exec) call the lawyers first.
Post Reply