Zimbra Forums

I have been getting user accounts locked out due to malicious attempts (e.g. dictionary attacks), and would typically only find out when I got a called from the affected user that they could no longer access their account. I created this script to monitor the logs for lockout events, and then to send me an alert email - so at least I would have a good answer ready when I get the call. Been using this for a few months now, and seems to work well, although only tested with Ubuntu 14.04 and Zimbra NE 8.6
If you use it, will be interested to hear how it works for you. Should only have to replace the two email addresses. 
To get it to start on boot, I added the following line to the server's /etc/crontab 
# start email lockout report on boot
@reboot root /root/bin/lockout_report
and here is the monitor script itself:
#!/bin/bash
# email lockout report to sysadmin for review
tail -Fn0 /opt/zimbra/log/audit.log |
while read line ; do
    echo "$line" | grep -q "error=account lockout"
    if [ $? = 0 ]
    then
        # prep log file for emailing
        echo "to:support@example.com" > /var/log/tmp_lockout
        echo "from:root@mail.example.com" >> /var/log/tmp_lockout
        echo "subject:Account LOCKOUT report :: zimbra" >> /var/log/tmp_lockout
        echo "Created on `date`" >> /var/log/tmp_lockout
        echo "++++++++++++" >> /var/log/tmp_lockout
        echo "Account lockouts" >> /var/log/tmp_lockout
        echo "$line" >> /var/log/tmp_lockout
        # mail report
        /opt/zimbra/postfix/sbin/sendmail -t < /var/log/tmp_lockout
    fi
done