audit.log to syslog

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
captainmish
Advanced member
Advanced member
Posts: 91
Joined: Fri Sep 12, 2014 10:29 pm

audit.log to syslog

Post by captainmish »

Hello
We currently log all of the zimbra syslog stuff to a central syslog server, but are missing out on audit.log - useful for a number of reasons, and very useful to have "off local".
Is there any simple way to cause zimbra to log this data to syslog instead of the file logs/audit.log ?
uxbod
Ambassador
Ambassador
Posts: 7811
Joined: Fri Sep 12, 2014 10:21 pm

audit.log to syslog

Post by uxbod »

Are the processes that write to audit.log not controlled by the log4j code within Java ? eg. /opt/zimbra/conf/log4j.properties.in/log4j.properties
captainmish
Advanced member
Advanced member
Posts: 91
Joined: Fri Sep 12, 2014 10:29 pm

audit.log to syslog

Post by captainmish »

thanks tonster, but audit.log doesnt even touch syslog - I have *.* already logging to the remote. I tried to modify log4j as uxbod mentioned, but having changed /opt/zimbra/conf/log4j.properties.in/log4j.properties, what service needs to be HUPd or restarted etc to notice? (just changing it and waiting doesnt work)

Thanks,
bonoboslr
Advanced member
Advanced member
Posts: 117
Joined: Fri Sep 12, 2014 11:19 pm

audit.log to syslog

Post by bonoboslr »

Hi - did you come right with this? I am looking to do the same thing. What did you change in /opt/zimbra/conf/log4j.properties.in ? Did you have to restart zimbra?
User avatar
ppearl
Advanced member
Advanced member
Posts: 114
Joined: Thu May 15, 2014 7:36 am

audit.log to syslog

Post by ppearl »

To not lead this old thread hanging... if you wanted AUDIT info to go to syslog, I believe you would do something like this:
* edit log4j.properties.in and change this line:

log4j.logger.zimbra.security=INFO,AUDIT

to

log4j.logger.zimbra.security=INFO,AUDIT,SYSLOG
* on RHEL edit /etc/sysconfig/syslog and make sure that the SYSLOGD_OPTIONS contains the '-r' option to allow syslog messages over the network (log4j doesn't do unix pipes)
* restart mailboxd - the log4j options are not reread during runtime
Of course, this custom config will likely be overwritten on upgrades so be sure you save a copy of your config / notes on changes somewhere so you can reapply after an upgrade.
ewilen
Elite member
Elite member
Posts: 1429
Joined: Fri Sep 12, 2014 11:34 pm

audit.log to syslog

Post by ewilen »

Has anyone ever gotten this to work?
I've tried ppearl's suggestions, also the information at Ajcody-Logging - Zimbra :: Wiki, and a few ideas of my own, such as defining a separate SyslogAppender in log4j.properties.in which points directly to the centralized syslog server.
I've restarted zmconfigdctl, zmmailboxdctl, and zmloggerctl.
(I haven't restarted Zimbra.)
Now I'm thinking it may have to do with this line
log4j.additivity.zimbra.security=false
Although that doesn't quite make sense based on reading:
Apache log4j 1.2 - Short introduction to log4j

Log4j Tutorial: Additivity – what and why? | Veera Sundar

Log4jXmlFormat - Logging-log4j Wiki
Nope, commenting that out also doesn't do any good.
User avatar
barrydegraaff
Zimbra Employee
Zimbra Employee
Posts: 249
Joined: Tue Jun 17, 2014 3:31 am
Contact:

Re: audit.log to syslog

Post by barrydegraaff »

In most cases when you want the audit log to appear in syslog you will want to do this for centralized logging.

You can use the following syntax in /etc/rsyslog.conf on Ubuntu 20

Code: Select all

$ModLoad imfile

$InputFileName /opt/zimbra/log/audit.log
$InputFileTag zimbra-audit:
$InputFileStateFile zimbra-audit
$InputFileSeverity info
$InputFileFacility local0
$InputFilePollInterval 1
$InputRunFileMonitor
For full example please check: https://github.com/Zimbra/elastic-stack
--
Barry de Graaff
Email: barry.degraaff [at] synacor [dot] com
Admin of Zimbra-Community Github: https://github.com/orgs/Zimbra-Community/ and the
Zimlet Gallery https://gallery.zetalliance.org/extend/
r13e
Posts: 3
Joined: Fri Apr 12, 2019 10:29 am

Re: audit.log to syslog

Post by r13e »

Hey Barry,

unfortunately an error has crept into the config. It must be "InputFileFacility".

Code: Select all

$ModLoad imfile

$InputFileName /opt/zimbra/log/audit.log
$InputFileTag zimbra-audit:
$InputFileStateFile zimbra-audit
$InputFileSeverity info
$InputFileFacility local0
$InputFilePollInterval 1
$InputRunFileMonitor
Best

Jan
User avatar
barrydegraaff
Zimbra Employee
Zimbra Employee
Posts: 249
Joined: Tue Jun 17, 2014 3:31 am
Contact:

Re: audit.log to syslog

Post by barrydegraaff »

Yes, thanks, I updated the Github Elastic document a while ago, but forgot to update it here.

How is that for faility!

Also from the Elastic guide,

Some logs of Zimbra should already show up. Configure Zimbra Mailbox to send all logs to RSyslog by issuing:

Code: Select all

  su zimbra
  zmprov mcf zimbraLogToSysLog TRUE
  zmcontrol restart
--
Barry de Graaff
Email: barry.degraaff [at] synacor [dot] com
Admin of Zimbra-Community Github: https://github.com/orgs/Zimbra-Community/ and the
Zimlet Gallery https://gallery.zetalliance.org/extend/
Post Reply