Edit /opt/zim
bra/conf/log4j.properties and change
log4j.logger.zimbra.security=INFO,AUDIT
to
log4j.logger.zimbra.security=INFO,AUDIT,SYSLOG
(Edit log4j.properties.in as well to make the change permanent)
You can also dump a lot more to syslog by setting zimbraLogToSyslog=TRUE, but this results in zmconfigd doing an automatic mailboxd restart, which may not be desired.
From: "Tim Ross" <tross@calpoly.edu>
To: "zimbra-hied-admins" <zimbra-hied-admins@sfu.ca>
Sent: Friday, December 7, 2012 12:41:47 PM
Subject: audit.log to syslog
We have been attempting to send our /opt/zimbra/log/audit.log info to a central, non-Zimbra logging server for our campus IT security team to monitor for suspicious Zimbra login activity. I followed the steps AJ Cody outlined here: http://wiki.zimbra.com/wiki/Ajcody-Logging#Single_Server_Setup. I was able to get some of the logging info over to the central logging server, but "auth.*" doesn't seem to capture info sent to audit.log. I came across a Zimbra forum post from a couple years ago where a couple people were trying to accomplish this same thing and none had seemed to have found the trick. Has anyone out there figured out how to accomplish this?
BTW - our servers are Red Hat 5-64 bit and we are on ZCS 7.2.0 NE. I have a ticket open with Zimbra, but wanted to throw it out to the community also.
Thanks,
Tim Ross
Application Administrator
Enterprise Applications Group
Cal Poly State University, San Luis Obispo