[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: audit.log to syslog



Hi Tim,
  Note that the steps as outlined in AJ Cody's blog will send all syslog events to the 'SYSLOG' logger definition. That definition is for a single syslog facility (e.g. "Mail", "Local0", or "Auth). So if you've configured SYSLOG to go to local0 then your Audit lines will be mixed in with everything else in Local0. If you want your Audit stuff to go somewhere else, define another syslog logger in your log4j.properties. E.g:

log4j.appender.SYSLOG_AUTH=org.apache.log4j.net.SyslogAppender
log4j.appender.SYSLOG_AUTH.SyslogHost=loghost.example.com
log4j.appender.SYSLOG_AUTH.Facility=AUTH
log4j.appender.SYSLOG_AUTH.layout=com.zimbra.common.util.ZimbraPatternLayout
log4j.appender.SYSLOG_AUTH.layout.ConversionPattern=mailboxd: %-5p [%t] [%z] %c{1} - %m

..and change your log4j.logger.zimbra.security line from SYSLOG to SYSLOG_AUTH

(sorry if this was obvious and you've already tried this)


Justin

Thanks for the reply.  Unfortunately, both of those steps are part of the steps that AJ Cody had documented.  I have both those changes set on our server.  Those changes still don't cause the log entries which go to audit.log to be captured by syslog.  Is this working on your Zimbra setup?  If so, did you make any special adjustments to your /etc/syslog.conf file to capture the audit.log info?

Tim Ross
Application Administrator
Enterprise Applications Group
Cal Poly State University, San Luis Obispo
(805)756-6226


From: "Justin Wainwright" <jwain@merit.edu>
To: "zimbra-hied-admins" <zimbra-hied-admins@sfu.ca>
Sent: Friday, December 7, 2012 9:57:57 AM
Subject: Re: audit.log to syslog

Edit /opt/zimbra/conf/log4j.properties and change

log4j.logger.zimbra.security=INFO,AUDIT

to

log4j.logger.zimbra.security=INFO,AUDIT,SYSLOG

(Edit log4j.properties.in as well to make the change permanent)

You can also dump a lot more to syslog by setting zimbraLogToSyslog=TRUE, but this results in zmconfigd doing an automatic mailboxd restart, which may not be desired.


From: "Tim Ross" <tross@calpoly.edu>
To: "zimbra-hied-admins" <zimbra-hied-admins@sfu.ca>
Sent: Friday, December 7, 2012 12:41:47 PM
Subject: audit.log to syslog

We have been attempting to send our /opt/zimbra/log/audit.log info to a central, non-Zimbra logging server for our campus IT security team to monitor for suspicious Zimbra login activity.  I followed the steps AJ Cody outlined here:  http://wiki.zimbra.com/wiki/Ajcody-Logging#Single_Server_Setup.  I was able to get some of the logging info over to the central logging server, but "auth.*" doesn't seem to capture info sent to audit.log.  I came across a Zimbra forum post from a couple years ago where a couple people were trying to accomplish this same thing and none had seemed to have found the trick.  Has anyone out there figured out how to accomplish this?

BTW - our servers are Red Hat 5-64 bit and we are on ZCS 7.2.0 NE.  I have a ticket open with Zimbra, but wanted to throw it out to the community also.

Thanks,

Tim Ross
Application Administrator
Enterprise Applications Group
Cal Poly State University, San Luis Obispo






--
Steve Hillman        IT Architect
hillman@sfu.ca       Institutional, Collaborative, & Academic Technologies (ICAT)
778-782-3960         Simon Fraser University