Hello
We currently log all of the zimbra syslog stuff to a central syslog server, but are missing out on audit.log - useful for a number of reasons, and very useful to have "off local".
Is there any simple way to cause zimbra to log this data to syslog instead of the file logs/audit.log ?
audit.log to syslog
audit.log to syslog
Are the processes that write to audit.log not controlled by the log4j code within Java ? eg. /opt/zimbra/conf/log4j.properties.in/log4j.properties
-
captainmish
- Advanced member
- Posts: 91
- Joined: Fri Sep 12, 2014 10:29 pm
audit.log to syslog
thanks tonster, but audit.log doesnt even touch syslog - I have *.* already logging to the remote. I tried to modify log4j as uxbod mentioned, but having changed /opt/zimbra/conf/log4j.properties.in/log4j.properties, what service needs to be HUPd or restarted etc to notice? (just changing it and waiting doesnt work)
Thanks,
Thanks,
audit.log to syslog
Hi - did you come right with this? I am looking to do the same thing. What did you change in /opt/zimbra/conf/log4j.properties.in ? Did you have to restart zimbra?
audit.log to syslog
To not lead this old thread hanging... if you wanted AUDIT info to go to syslog, I believe you would do something like this:
* edit log4j.properties.in and change this line:
log4j.logger.zimbra.security=INFO,AUDIT
to
log4j.logger.zimbra.security=INFO,AUDIT,SYSLOG
* on RHEL edit /etc/sysconfig/syslog and make sure that the SYSLOGD_OPTIONS contains the '-r' option to allow syslog messages over the network (log4j doesn't do unix pipes)
* restart mailboxd - the log4j options are not reread during runtime
Of course, this custom config will likely be overwritten on upgrades so be sure you save a copy of your config / notes on changes somewhere so you can reapply after an upgrade.
* edit log4j.properties.in and change this line:
log4j.logger.zimbra.security=INFO,AUDIT
to
log4j.logger.zimbra.security=INFO,AUDIT,SYSLOG
* on RHEL edit /etc/sysconfig/syslog and make sure that the SYSLOGD_OPTIONS contains the '-r' option to allow syslog messages over the network (log4j doesn't do unix pipes)
* restart mailboxd - the log4j options are not reread during runtime
Of course, this custom config will likely be overwritten on upgrades so be sure you save a copy of your config / notes on changes somewhere so you can reapply after an upgrade.
audit.log to syslog
Has anyone ever gotten this to work?
I've tried ppearl's suggestions, also the information at Ajcody-Logging - Zimbra :: Wiki, and a few ideas of my own, such as defining a separate SyslogAppender in log4j.properties.in which points directly to the centralized syslog server.
I've restarted zmconfigdctl, zmmailboxdctl, and zmloggerctl.
(I haven't restarted Zimbra.)
Now I'm thinking it may have to do with this line
log4j.additivity.zimbra.security=false
Although that doesn't quite make sense based on reading:
Apache log4j 1.2 - Short introduction to log4j
Log4j Tutorial: Additivity – what and why? | Veera Sundar
Log4jXmlFormat - Logging-log4j Wiki
Nope, commenting that out also doesn't do any good.
I've tried ppearl's suggestions, also the information at Ajcody-Logging - Zimbra :: Wiki, and a few ideas of my own, such as defining a separate SyslogAppender in log4j.properties.in which points directly to the centralized syslog server.
I've restarted zmconfigdctl, zmmailboxdctl, and zmloggerctl.
(I haven't restarted Zimbra.)
Now I'm thinking it may have to do with this line
log4j.additivity.zimbra.security=false
Although that doesn't quite make sense based on reading:
Apache log4j 1.2 - Short introduction to log4j
Log4j Tutorial: Additivity – what and why? | Veera Sundar
Log4jXmlFormat - Logging-log4j Wiki
Nope, commenting that out also doesn't do any good.
-
barrydegraaff
- Outstanding Member
- Posts: 251
- Joined: Tue Jun 17, 2014 3:31 am
Re: audit.log to syslog
In most cases when you want the audit log to appear in syslog you will want to do this for centralized logging.
You can use the following syntax in /etc/rsyslog.conf on Ubuntu 20
For full example please check: https://github.com/Zimbra/elastic-stack
You can use the following syntax in /etc/rsyslog.conf on Ubuntu 20
Code: Select all
$ModLoad imfile
$InputFileName /opt/zimbra/log/audit.log
$InputFileTag zimbra-audit:
$InputFileStateFile zimbra-audit
$InputFileSeverity info
$InputFileFacility local0
$InputFilePollInterval 1
$InputRunFileMonitorI am no longer working on anything Zimbra related.
Re: audit.log to syslog
Hey Barry,
unfortunately an error has crept into the config. It must be "InputFileFacility".
Best
Jan
unfortunately an error has crept into the config. It must be "InputFileFacility".
Code: Select all
$ModLoad imfile
$InputFileName /opt/zimbra/log/audit.log
$InputFileTag zimbra-audit:
$InputFileStateFile zimbra-audit
$InputFileSeverity info
$InputFileFacility local0
$InputFilePollInterval 1
$InputRunFileMonitor
Jan
-
barrydegraaff
- Outstanding Member
- Posts: 251
- Joined: Tue Jun 17, 2014 3:31 am
Re: audit.log to syslog
Yes, thanks, I updated the Github Elastic document a while ago, but forgot to update it here.
How is that for faility!
Also from the Elastic guide,
Some logs of Zimbra should already show up. Configure Zimbra Mailbox to send all logs to RSyslog by issuing:
How is that for faility!
Also from the Elastic guide,
Some logs of Zimbra should already show up. Configure Zimbra Mailbox to send all logs to RSyslog by issuing:
Code: Select all
su zimbra
zmprov mcf zimbraLogToSysLog TRUE
zmcontrol restartI am no longer working on anything Zimbra related.