Solution to replace the useless zmauditswatch

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Advanced member
Advanced member
Posts: 151
Joined: Thu Feb 27, 2014 8:40 pm

Solution to replace the useless zmauditswatch

Postby bhwong » Fri Mar 10, 2017 4:12 am

I have found a workable solution to the problem with zmauditswatch mentioned here: viewtopic.php?f=15&t=59899&p=268994&hilit=zmauditswatch#p268994. Thanks to Amit Kumar Singh from Zimbra Support for his guidance in getting this up!

The command to quickly compile and show the top 10 IP addresses where the hacking is origin from, so that you can quickly input these IP addresses into your firewall to block them to locking your users up:

Code: Select all

cat /var/log/zimbra.log | grep "authentication failure" | cut -d ' ' -f 7 | sort | uniq -c | sort -nr | head

zmauditswatch is not useful as it doesn't reveal the source of hacking for me to be able to block them in my firewall. The IP address it shows is always my internal Zimbra IP address instead of the hacker IP address.

The hacker IP address is actually logged in zimbra.log. Thus, I hope Zimbra development team can improve on zmauditswatch by retrieving the right information from zimbra.log instead of looking at the wrong place from mailbox.log.

Return to “Administrators”

Who is online

Users browsing this forum: Google [Bot] and 22 guests