Hi,
Thanks to this post viewtopic.php?f=15&t=61294 from JDunphy and also the project I'm working right now (migration from 8.0.9 to 8.8.9), I started playing around with the logging of failed auths, but as usual, I have more doubts than answers.
In /opt/zimbra/log/audit.log I can identify authentication failures for the following components:
In all of these, I also parse for "invalid" as part of the "invalid password" error + the protocol itself.
- WebDav (parsing for protocol=http_dav)
- Zextras mobile (parsing for protocol=zsync)
- IMAP(s) (parsing for protocol=imap)
- POP(s) (parsing for protocol=pop)
- HTTP(s) (parsing for ua=zclient)
- SMTP (parsing for oproto=smtp)
In /opt/zimbra/log/mailbox.log
- DoSFilter suspended IPs (parsing for "suspended, for repeated failed login")
- Jetty login policy (parsing for "account lockout")
In /var/log/zimbra.log
- Relay access denied (parsing for "Relay access denied")
- SASL PLAIN auth fails (parsing for "SASL PLAIN authentication failed")
1. Which ones am I missing?
2. Am I duplicating some of them? (like maybe is not necessary to parse for the "SASL PLAIN" ones as they are visible in other already parsed logs).
3. The less logs I have to parse the better, could I be able to reduce the amount of logs being parsed?
Thanks!