Logging of auth failures, accounts locked and ips blocked/suspended

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
pup_seba
Outstanding Member
Outstanding Member
Posts: 506
Joined: Sat Sep 13, 2014 2:43 am
Location: Tarragona - Spain

Logging of auth failures, accounts locked and ips blocked/suspended

Postby pup_seba » Sun Nov 04, 2018 6:25 pm

Hi,

Thanks to this post viewtopic.php?f=15&t=61294 from JDunphy and also the project I'm working right now (migration from 8.0.9 to 8.8.9), I started playing around with the logging of failed auths, but as usual, I have more doubts than answers.

In /opt/zimbra/log/audit.log I can identify authentication failures for the following components:
In all of these, I also parse for "invalid" as part of the "invalid password" error + the protocol itself.
- WebDav (parsing for protocol=http_dav)
- Zextras mobile (parsing for protocol=zsync)
- IMAP(s) (parsing for protocol=imap)
- POP(s) (parsing for protocol=pop)
- HTTP(s) (parsing for ua=zclient)
- SMTP (parsing for oproto=smtp)

In /opt/zimbra/log/mailbox.log
- DoSFilter suspended IPs (parsing for "suspended, for repeated failed login")
- Jetty login policy (parsing for "account lockout")

In /var/log/zimbra.log
- Relay access denied (parsing for "Relay access denied")
- SASL PLAIN auth fails (parsing for "SASL PLAIN authentication failed")

1. Which ones am I missing?
2. Am I duplicating some of them? (like maybe is not necessary to parse for the "SASL PLAIN" ones as they are visible in other already parsed logs).
3. The less logs I have to parse the better, could I be able to reduce the amount of logs being parsed?

Thanks!


Sebastián Greco
Infrastructure Developer @https://www.essiprojects.com/

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 27 guests