cscli parsers install firewallservices/zimbra-logsZimbra failed authentication parser. To use it, you should add an acquisition like
---
filenames:
- /opt/zimbra/log/mailbox.log
labels:
type: zimbraNote that if you run Zimbra on several servers :
zmprov mcf +zimbraMailTrustedIP 10.30.1.131filter: "evt.Parsed.program startsWith 'zimbra'"2onsuccess: next_stage3#debug: true4name: firewallservices/zimbra-logs5description: "Parse zimbra authentication failures"6nodes:7 - grok:8 pattern: '%{TIMESTAMP_ISO8601:time_local}:[0-9]+,.*%{WORD:proto}://%{HOSTNAME:server}:%{INT:port}/service/admin/soap/(AuthRequest)?\] \[.*oip=%{IP:src_ip}.*\] SoapEngine - handler exception: authentication failed for \[%{NGUSER:user}\]'9 apply_on: message10 statics:11 - target: evt.StrTime12 expression: evt.Parsed.time_local13 - grok:14 pattern: '%{TIMESTAMP_ISO8601:time_local}:[0-9]+,.*%{WORD:proto}://%{HOSTNAME:server}:%{INT:port}/service/admin/soap/(AuthRequest)?\] \[.*name=%{NGUSER:user}.*oip=%{IP:src_ip}.*\] SoapEngine - handler exception'15 apply_on: message16 statics:17 - target: evt.StrTime18 expression: evt.Parsed.time_local19 - grok:20 pattern: '%{TIMESTAMP_ISO8601:time_local}:[0-9]+,.*\[.*oip=%{IP:src_ip}.*\] imap - authentication failed for \[%{NGUSER:user}\]'21 apply_on: message22 statics:23 - target: evt.StrTime24 expression: evt.Parsed.time_local25statics:26 - meta: service27 value: zimbra28 - meta: log_type29 value: zimbra_auth_fail30 - meta: source_ip31 expression: "evt.Parsed.src_ip"32 - meta: user33 expression: "evt.Parsed.user"34