We have been attempting to send our /opt/zimbra/log/audit.log info to a central, non-Zimbra logging server for our campus IT security team to monitor for suspicious Zimbra login activity. I followed the steps AJ Cody outlined here: http://wiki.zimbra.com/wiki/Ajcody-Logging#Single_Server_Setup. I was able to get some of the logging info over to the central logging server, but "auth.*" doesn't seem to capture info sent to audit.log. I came across a Zimbra forum post from a couple years ago where a couple people were trying to accomplish this same thing and none had seemed to have found the trick. Has anyone out there figured out how to accomplish this?
BTW - our servers are Red Hat 5-64 bit and we are on ZCS 7.2.0 NE. I have a ticket open with Zimbra, but wanted to throw it out to the community also.
Thanks,
Tim Ross
Application Administrator
Enterprise Applications Group
Cal Poly State University, San Luis Obispo