Information on using zmauditwatch is very scarce on the forums and the documentation only has a brief overview of the feature.
I've configured a failed login policy with the following settings:
Consecutive failed logins allowed: 5
Time to lockout: 1 hour
Time window: 15 minutes
(Please comment if my settings could be improved)
With regards to zmauditwatch I need to set the following:
zmlocalconfig -e firstname.lastname@example.org
zmlocalconfig -e zimbra_swatch_ipacct_threshold=10
zmlocalconfig -e zimbra_swatch_acct_threshold=15
zmlocalconfig -e zimbra_swatch_ip_threshold=20
zmlocalconfig -e zimbra_swatch_total_threshold=60
zmlocalconfig -e zimbra_swatch_threshold_seconds=60
Should the zmauditwatch values be the same as those in the failed login policy?
Any recommendations from those of you who use zmauditwatch are much appreciated.