Re: audit.log to syslog

[Will Froning <wfroning@aus.edu>]

Hello Tim,

Tim Ross wrote:
> We have been attempting to send our /opt/zimbra/log/audit.log info to a
> central, non-Zimbra logging server for our campus IT security team to
> monitor for suspicious Zimbra login activity. I followed the steps AJ
> Cody outlined here:
> http://wiki.zimbra.com/wiki/Ajcody-Logging#Single_Server_Setup. I was
> able to get some of the logging info over to the central logging server,
> but "auth.*" doesn't seem to capture info sent to audit.log. I came
> across a Zimbra forum post from a couple years ago where a couple people
> were trying to accomplish this same thing and none had seemed to have
> found the trick. Has anyone out there figured out how to accomplish this?
>
> BTW - our servers are Red Hat 5-64 bit and we are on ZCS 7.2.0 NE. I
> have a ticket open with Zimbra, but wanted to throw it out to the
> community also.

If you can't get that to work, you can always fake it with logger...

tail -f /opt/zimbra/log/audit.log |logger -p auth.info

I use splunk for this sort of thing, so I don't have a great solution.

I suspect your InfoSec team might also appreciate having cookies in the 
weblogs for activity tracking. I know I've used it a number of times to 
keep tabs on things. Unfortunately it doesn't stick between upgrades so 
keep it on your checklist.

<http://wiki.zimbra.com/wiki/NGINX_Log_Customization>

Thanks,
Will

--
Will Froning
Information Security Manager
Office of the Vice Chancellor for Finance and Administration


American University of Sharjah

Tel +971 6 515 2124
Mobile +971 50 737 1599
Fax  +971 6 515 2120

PO Box 26666, Sharjah
United Arab Emirates
http://www.aus.edu
wfroning@aus.edu