Hi Zimbra Customers, Partners & Friends,
Based on your feedback we have updated the Zimbra Elastic Stack guide to work with Ubuntu 22 and ELK 8.x! The guide has also been extended with steps on how to send log information from audit.log and nginx access and error logs to Elastic Stack.
With Elastic Stack you can:
- Easily search through and analyze historic logs
- Visualize log events to gather insights
- Store logs for forensic research in case of hacking
- Monitor uptime and certificates
Both Zimbra and Elastic Stack have many components. The diagram below shows you an overview of how the software components work together to make visualizations from raw log files. In the simplest form, you can install Zimbra in a single server set-up and add another server for all the Elastic Stack components. If you plan to scale up, you can split several of the software components across more virtual machines.
A basic Kibana dashboard for a Zimbra server would look like this:
Without Elastic Stack, your server only keeps the most recent log files of events on your Zimbra server. You can configure your system logging to delay the compression and purging of log files, but log files tend to become very large, and there are several log files for various system components. Finding a specific event across all these logs can be time consuming.
Logs parsed by Elastic Stack are searchable, so you don’t have to do command line tricks to find events quickly … and you don’t have to waste time waiting for search results.
Elastic Stack also lets you create visualizations relatively easily, so you can get insights into the vital parameters of your system for:
- Postfix e-mail traffic
- Spam filtering
- Disk usage and load
- CPU and RAM usage
- Security related events such as failed web-UI log-ins, failed SSH login attempts, IMAP and SMTP brute force attempts etc.
This means you can be proactive in dealing with system load issues and security threats.
Using RSyslog to gather your Zimbra server logs has a number of benefits over using Elastic Stack:
- No need to install Elastic Stack agent on your Zimbra servers
- Avoid 3rd party software repositories on your Zimbra servers
- RSyslog centralized logging secures your logs in case they are compromised by hacking
- RSyslog centralized logging is an industry standard for securing logs for forensic researchers
- Maintainability: Elastic Stack is DevOps developed software. This isn’t bad, but things change a lot over time. The mechanisms (Logstash Forwarder/Filebeat) for gathering logs can change significantly. For example, Logstash Forwarder is now deprecated, and the configuration options for Filebeat change often, making it challenging to maintain if you run a Zimbra cluster.
For more information, we have a full guide here: https://github.com/Zimbra/elastic-stack
And a PDF version of the guide here: https://github.com/Zimbra/elastic-stack/releases
Most of the config files and scripts in the guide are available in the Github repository. If you can’t copy-paste directly from the guide, you can retrieve the config files and scripts by downloading them via Github.
Your Zimbra Team