Logging for deleted email accounts in the Zimbra Admin GUI

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
loganw12
Posts: 2
Joined: Thu May 25, 2023 11:59 am

Logging for deleted email accounts in the Zimbra Admin GUI

Post by loganw12 »

Hello!

Someone last week on 5/18 unintentionally (or so we hope) deleted an email account that should not have been deleted. I am trying to locate the person who did it. Are there any logs stored anywhere that would show who deleted the email account from the Zimbra Admin center?

Apologies if this is a dumb question but I am very new to administering Zimbra :) Thank you!
karl.b
Zimbra Employee
Zimbra Employee
Posts: 37
Joined: Tue Aug 02, 2022 3:31 pm

Re: Logging for deleted email accounts in the Zimbra Admin GUI

Post by karl.b »

Not a dumb request at all. With Zimbra an end-user can't delete an account, only users who can access the Zimbra administrative tools zmprov or Admin Console. From within those tool when the delete occurs it will log the request to do so in the /opt/zimbra/log/mailbox.log. Here's an example:

2023-05-25 22:01:00
,820 INFO [qtp335471116-15970:https:https://localhost:7071/service/admin/soap/DeleteAccountRequest] [name=zimbra;ua=zmprov/8.8.8_GA_2009;soapId=55d55705;] soap - Proxying request: ProxiedAccountPath=id reason: onLocalSvr=false isLocal=false target=mailstore-02.xyzcorp.com localhost=mailstore-01.xyzcorp.com account=kbtest10@xyzcorp.com.

...where the account deleted was kbtest10@xyzcorp.com. So we know the time this processed was 2023-05-25 22:01:00 - so you have to sort of investigate from there. Who logged into the Linux host in which Zimbra runs, sometime before then - check /var/log/secure. Unfortunately if multiple people can log into the Linux host as root (i.e. - they know the root password) and you are not forcing sudo access, this will be challenging. Similarly if multiple people know the Zimbra admin account and password, then every logged will simply be the same admin account.

More importantly - do you have Zimbra backups running? If so you can likely get the account back - google "zimbra zmrestore" and you can find instructions.
loganw12
Posts: 2
Joined: Thu May 25, 2023 11:59 am

Re: Logging for deleted email accounts in the Zimbra Admin GUI

Post by loganw12 »

Thanks for the reply! Yeah, we were able to restore the email account thankfully. Just trying to hunt down which of our users logged into the admin console and deleted it so we can teach them a lesson :D
Post Reply