Thanks to this post viewtopic.php?f=15&t=61294 from JDunphy and also the project I'm working right now (migration from 8.0.9 to 8.8.9), I started playing around with the logging of failed auths, but as usual, I have more doubts than answers.
In /opt/zimbra/log/audit.log I can identify authentication failures for the following components:
In all of these, I also parse for "invalid" as part of the "invalid password" error + the protocol itself.
- WebDav (parsing for protocol=http_dav)
- Zextras mobile (parsing for protocol=zsync)
- IMAP(s) (parsing for protocol=imap)
- POP(s) (parsing for protocol=pop)
- HTTP(s) (parsing for ua=zclient)
- SMTP (parsing for oproto=smtp)
- DoSFilter suspended IPs (parsing for "suspended, for repeated failed login")
- Jetty login policy (parsing for "account lockout")
- Relay access denied (parsing for "Relay access denied")
- SASL PLAIN auth fails (parsing for "SASL PLAIN authentication failed")
1. Which ones am I missing?
2. Am I duplicating some of them? (like maybe is not necessary to parse for the "SASL PLAIN" ones as they are visible in other already parsed logs).
3. The less logs I have to parse the better, could I be able to reduce the amount of logs being parsed?
- Zimbra Collaboration 8.6 Patch 9 now available (includes fix for CVE-2017-8802). Read the announcement.
- Zimbra Collaboration 8.8.7 + Zimbra Connector for Outlook 8.8.7 are available.. Read the announcement.
- Are you a Zimbra Developer? You can find some interesting stuff in our Official GitHub: https://github.com/Zimbra and check the Community Projects too: https://github.com/Zimbra-Community/
Discuss your pilot or production implementation with other Zimbra admins or our engineers.
1 post • Page 1 of 1
Who is online
Users browsing this forum: elderf and 20 guests