[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: audit.log to syslog



Edit /opt/zimbra/conf/log4j.properties and change

log4j.logger.zimbra.security=INFO,AUDIT

to

log4j.logger.zimbra.security=INFO,AUDIT,SYSLOG

(Edit log4j.properties.in as well to make the change permanent)

You can also dump a lot more to syslog by setting zimbraLogToSyslog=TRUE, but this results in zmconfigd doing an automatic mailboxd restart, which may not be desired.


From: "Tim Ross" <tross@calpoly.edu>
To: "zimbra-hied-admins" <zimbra-hied-admins@sfu.ca>
Sent: Friday, December 7, 2012 12:41:47 PM
Subject: audit.log to syslog

We have been attempting to send our /opt/zimbra/log/audit.log info to a central, non-Zimbra logging server for our campus IT security team to monitor for suspicious Zimbra login activity.  I followed the steps AJ Cody outlined here:  http://wiki.zimbra.com/wiki/Ajcody-Logging#Single_Server_Setup.  I was able to get some of the logging info over to the central logging server, but "auth.*" doesn't seem to capture info sent to audit.log.  I came across a Zimbra forum post from a couple years ago where a couple people were trying to accomplish this same thing and none had seemed to have found the trick.  Has anyone out there figured out how to accomplish this?

BTW - our servers are Red Hat 5-64 bit and we are on ZCS 7.2.0 NE.  I have a ticket open with Zimbra, but wanted to throw it out to the community also.

Thanks,

Tim Ross
Application Administrator
Enterprise Applications Group
Cal Poly State University, San Luis Obispo