Deploying Audit Watcher (zmauditswatch) On Zimbra

Deploying Audit Watcher (zmauditswatch) On Zimbra

Zimbra used to ship with an audit watching process (zmauditswatch) that could be configured to send an alert email to administrators when certain bad activity was noted in the logs, like repeated failed logins from a certain IP address, or for a particular mailbox.  The underlying software underwent some changes due to trademark claims by the Swatch watch company, and those changes broke Zimbra’s implementation of zmauditswatch starting in Zimbra 8.7.

It’s really handy to get notifications essentially in near-real time when a user is struggling to log in.  You can proactively reach out to the user to confirm if they are really having a problem, or if it is the start of a brute force attack by a bad actor.  Keep a history of these alerts and you’ll quickly learn (if you don’t already know) which of your users need a little more hand-holding than the others.

In 2018 when I first wrote this article, Zimbra had not officially fixed this, but,  Zimbra Support guru Rick King (the “King”) took the initiative to propose a fix, which worked really well and which we deployed on our own and on customer on-premises sites with good success.

For some reason here in Summer 2023, Zimbra still apparently is not including a fix with the shipping product, but another longtime and incredibly knowledgeable Zimbra Support team member, Heera Singh Koranga, compiled a Certified Zimbra zmauditswatch wiki with updated code and a more reliable system init script, which we just stumbled upon.

Sidebar Note: “Certified” Zimbra wiki articles undergo a much more rigorous review process, so when you come across one of these and it is verified for your version of Zimbra you should have no stress.

The wiki says it is valid for ZCS 8.7.x, 8.8.x, and 9.0 versions with RHEL/CentOS 7/8 and Ubuntu 16/18, but we have executed the steps in the wiki on Ubuntu 20 systems and it works fine (for us, YMMV…).  The only minor “gotcha” we experience is that the service leaves Zombie “sh” processes hanging about. We haven’t seen any bad effects from this, and you can get rid of the zombie processes just by restarting the zmauditswatch service.

To find any zombie process on your system, as root you can execute:

root@mb23:~# ps aux | egrep "Z|defunct"
zimbra    926558  0.0  0.0      0     0 ?        Z    12:03   0:00 [sh] <defunct>
zimbra    926560  0.0  0.0      0     0 ?        Z    12:03   0:00 [sh] <defunct>
root      937434  0.0  0.0   8164  2532 pts/0    S+   12:31   0:00 grep -E --color=auto Z|defunct

Next, to get the parent process, use one of the PIDs above, and then get info on the parent process itself:

root@mb23:~# ps -o ppid= -p 926558
root@mb23:~# ps -e | grep 926542
926542 ? 00:00:00 perl

In our experience, zombie “sh” processes with a perl parent are typically from zmauditswatch.  If these get bothersome, just restart the service and recheck:

root@mb23:~# systemctl restart zmauditswatch.service && ps aux | egrep "Z|defunct"
root 939432 0.0 0.0 8164 2388 pts/0 S+ 12:35 0:00 grep -E --color=auto Z|defunct

As you can see above, the previous zombie “sh” processes are now gone.

Zombie processes are not harmful, unless there are like 32K of them, and they use minimal resources.  You can learn more about Zombie processes here.

If you need help implementing zmauditswatch in your Zimbra environment, or with anything else Zimbra, feel free to start the conversation by completing the form below.

Hope that helps,
L. Mark Stone
Mission Critical Email
17 May 2018
Updated: 29 June 2023

The information provided in this blog is intended for informational and educational purposes only. The views expressed herein are those of Mr. Stone personally. The contents of this site are not intended as advice for any purpose and are subject to change without notice. Mission Critical Email makes no warranties of any kind regarding the accuracy or completeness of any information on this site, and we make no representations regarding whether such information is up-to-date or applicable to any particular situation. All copyrights are reserved by Mr. Stone. Any portion of the material on this site may be used for personal or educational purposes provided appropriate attribution is given to Mr. Stone and this blog.