[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: audit.log to syslog

We're using syslog-ng, but I didn't have to put anything special in it to get it to dump those entries to zimbra.log.

You could try re-running /opt/zimbra/libexec/zmsyslogsetup to make sure all the Zimbra log modifications are in your conf file.

From: "Tim Ross" <tross@calpoly.edu>
To: "zimbra-hied-admins" <zimbra-hied-admins@sfu.ca>
Sent: Friday, December 7, 2012 1:14:49 PM
Subject: Re: audit.log to syslog


Thanks for the reply.  Unfortunately, both of those steps are part of the steps that AJ Cody had documented.  I have both those changes set on our server.  Those changes still don't cause the log entries which go to audit.log to be captured by syslog.  Is this working on your Zimbra setup?  If so, did you make any special adjustments to your /etc/syslog.conf file to capture the audit.log info?

Tim Ross
Application Administrator
Enterprise Applications Group
Cal Poly State University, San Luis Obispo

From: "Justin Wainwright" <jwain@merit.edu>
To: "zimbra-hied-admins" <zimbra-hied-admins@sfu.ca>
Sent: Friday, December 7, 2012 9:57:57 AM
Subject: Re: audit.log to syslog

Edit /opt/zimbra/conf/log4j.properties and change




(Edit log4j.properties.in as well to make the change permanent)

You can also dump a lot more to syslog by setting zimbraLogToSyslog=TRUE, but this results in zmconfigd doing an automatic mailboxd restart, which may not be desired.

From: "Tim Ross" <tross@calpoly.edu>
To: "zimbra-hied-admins" <zimbra-hied-admins@sfu.ca>
Sent: Friday, December 7, 2012 12:41:47 PM
Subject: audit.log to syslog

We have been attempting to send our /opt/zimbra/log/audit.log info to a central, non-Zimbra logging server for our campus IT security team to monitor for suspicious Zimbra login activity.  I followed the steps AJ Cody outlined here:  http://wiki.zimbra.com/wiki/Ajcody-Logging#Single_Server_Setup.  I was able to get some of the logging info over to the central logging server, but "auth.*" doesn't seem to capture info sent to audit.log.  I came across a Zimbra forum post from a couple years ago where a couple people were trying to accomplish this same thing and none had seemed to have found the trick.  Has anyone out there figured out how to accomplish this?

BTW - our servers are Red Hat 5-64 bit and we are on ZCS 7.2.0 NE.  I have a ticket open with Zimbra, but wanted to throw it out to the community also.


Tim Ross
Application Administrator
Enterprise Applications Group
Cal Poly State University, San Luis Obispo