Maybe this may help others. A tool to display which methods including 2FA our zimbra users are accessing and the ip's they are coming from on our 9.0 Network version. The code below was generated by a few prompts and only one small section where it needed some help to debug it.
You can also drill down by user and get more detailed information or specify --all to read in all the audit.log*:Code can be found here: https://raw.githubusercontent.com/JimDu ... dit-log.pl
Note: I tried to keep the LLM to use only default perl lib/modules so this should work without any additional software installation.
HTH,
Jim
Code:
% zm-audit-log.pl --file=/tmp/myaudit.logProcessing /tmp/myaudit.log...+--------------------------------+---------------------+-----------------------+--------------------------------------------------------------------+| Email | Last Seen | Auth Methods | IP Addresses |+--------------------------------+---------------------+-----------------------+--------------------------------------------------------------------+| Dlastname@example.com | 2025-01-16 09:02:03 | WebClient | X.X.X.X || Flastname@example.com | 2025-01-21 14:30:41 | WebClient | 174.224.208.9, 174.224.211.89, 174.224.212.99, 174.239.114.245, || 174.239.121.80, X.X.X.X || Fname.Alastname@example.com | 2025-01-21 00:38:32 | POP3 | X.X.X.X || archive@example.net | 2025-01-20 23:38:54 | POP3 | X.X.X.X || ceo@example.com | 2025-01-21 00:08:54 | POP3 | X.X.X.X || dan.Blastname@example.com | 2025-01-20 19:21:35 | WebClient | X.X.X.X || JackiY.Clastname@example.com | 2025-01-21 07:28:47 | WebClient | X.X.X.X || KaK@example.com | 2025-01-21 15:26:24 | IMAP | X.X.X.X || jKsKe@example.com | 2025-01-21 22:53:44 | ActiveSync, WebClient | 172.56.100.202, 172.56.100.244, 172.56.100.68, 172.56.101.140, || 172.56.101.18, 172.56.101.190, 172.56.101.32, 172.56.101.58, || 172.56.101.88, 172.56.102.100, 172.56.102.106, 172.56.102.108, || 172.56.102.182, 172.56.102.188, 172.56.102.198, 172.56.102.254, || 172.56.103.108, 172.56.103.202, 172.56.103.236, 172.56.103.26, || 172.56.103.90, 172.56.98.102, 172.56.98.106, 172.56.98.126, || 172.56.98.163, 172.56.98.36, 172.56.98.45, 172.56.98.65, || 172.56.99.103, 172.56.99.127, 172.56.99.35, 174.211.96.19, || 35.137.195.0, X.X.X.X || michelle.Elastname@example.com | 2025-01-21 06:37:33 | WebClient | X.X.X.X || name@example.com | 2025-01-21 00:08:54 | POP3 | X.X.X.X |+--------------------------------+---------------------+-----------------------+--------------------------------------------------------------------+Code:
% ./zm-audit-log.pl --helpZimbra Audit Log Analyzer version 1.0.1Usage: ./zm-audit-log.pl [options]Options: --dir=DIR Specify log directory (default: /opt/zimbra/log) --file=FILE Specify single log file (default: DIR/audit.log) --all Process all audit.log* files in directory --user=EMAIL Show details for specific user --list List all users --help Show this help message --version Show version information % ./zm-audit-log.pl --user=name@example.com...Note: I tried to keep the LLM to use only default perl lib/modules so this should work without any additional software installation.
HTH,
Jim
Statistics: Posted by JDunphy — Fri Jan 31, 2025 3:25 pm