For anybody who is interested I have started to put together a collection of OSSEC rules for Zimbra; and will hopefully find there way onto the Zimbra :: Wiki in the not too distance future.

Once OSSEC has been installed one needs to update the decoder rules, on the OSSEC hub, located <ossec_path>/etc/local_decoder.xml
Code:
<!--
  Zimbra OSSEC
-->

<decoder name="zimbra">
  <prematch>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d,\d+ WARN|INFO</prematch>
</decoder>

<decoder name="zimbra-preauth-failed">
  <parent>zimbra</parent>
  <prematch offset="after_parent">[\S+] [\S+] security - cmd=PreAuth; account=\S+; admin=\S+; error=authentication failed for \S+, preauth mismatch;$</prematch>
  <regex>[name=(\S+);ip=(\d+.\d+.\d+.\d+);]</regex>
  <order>user, srcip</order>
</decoder>

<decoder name="zimbra-preauth-passed">
  <parent>zimbra</parent>
  <prematch offset="after_parent">[\S+] [\S+] security - cmd=PreAuth; account=\S+; admin=\S+;$</prematch>
  <regex>[name=(\S+);ip=(\d+.\d+.\d+.\d+);]</regex>
  <order>user, srcip</order>
</decoder>

<decoder name="zimbra-unknown-account">
  <parent>zimbra</parent>
  <prematch offset="after_parent">account not found$</prematch>
  <regex>[oip=(\d+.\d+.\d+.\d+);\S+] SoapEngine - handler exception: authentication failed for (\S+),</regex>
  <order>srcip, user</order>
</decoder>

<decoder name="zimbra-invalid-password">
  <parent>zimbra</parent>
  <prematch offset="after_parent">invalid password$</prematch>
  <regex>[name=(\S+);oip=(\d+.\d+.\d+.\d+);\S+]</regex>
  <order>user, srcip</order>
</decoder>
now we have to tell OSSEC about the rules we wish to generate so one would update <ossec_path>/rules/local_rules.xml
Code:
<!-- Zimbra Rules -->

<group name="zimbra,">

  <rule id="100100" level="0">
    <decoded_as>zimbra</decoded_as>
    <description>Zimbra Messages Grouped</description>
  </rule>

  <rule id="100101" level="3">
    <if_sid>100100</if_sid>
    <match>account not found$</match>
    <description>Account Unknown</description>
    <group>account_unknown,zimbra_failures,</group>
  </rule>

  <rule id="100102" level="3">
    <if_sid>100100</if_sid>
    <match>invalid password$</match>
    <description>Invalid Password</description>
    <group>invalid_password,</group>
  </rule>

  <rule id="100103" level="5">
    <if_sid>100100</if_sid>
    <match>preauth mismatch;$</match>
    <description>Preauth Mismatch</description>
    <group>preauth_mismatch,zimbra_failures,</group>
  </rule>

  <rule id="100104" level="5">
    <if_sid>100100</if_sid>
    <match>cmd=PreAuth</match>
    <description>Preauth Passed</description>
    <group>preauth_passed,zimbra_passed,</group>
  </rule>

<!-- Correlated rules -->

  <rule id="100110" level="8" frequency="5" timeframe="60">
    <if_matched_group>zimbra_failures</if_matched_group>
    <same_source_ip />
    <description>Zimbra Potential Brute Force Attack</description>
  </rule>

 <rule id="100111" level="8" frequency="5" timeframe="60">
    <if_matched_group>zimbra_passed</if_matched_group>
    <same_source_ip />
    <description>Zimbra Excessive Pre-Authentication Passes</description>
  </rule>

</group>
One must also inform OSSEC to monitor the necessary Zimbra files which is actioned by updating, on the OSSEC hub, the file <ossec_path>/etc/shared/agent.conf
Code:
<agent_config name = "whatever_you_called_your_zimbra_server">
<localfile>
<location>/opt/zimbra/log/mailbox.log</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/opt/zimbra/log/audit.log</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/var/log/zimbra.log</location>
<log_format>syslog</log_format>
</localfile>
</agent_config>
One will then need to restart OSSEC on the hub
Code:
service ossec restart
and on the remote Zimbra node using
Code:
<ossec_path>/bin/agent_control -l
which will list the installed agents; and then using the ID allocated to the Zimbra server
Code:
<ossec_path>/bin/agent_control -R <ID>