Jetty access_log off by 10 hours

[pixelplumber]

Hi all, I have been receiving attempted logins from remote IPs (china/brazil) trying to log in rapidly (resulting in account lockouts). The interesting thing is that it seems to be via direct SOAP requests.

This thread seems to detail the method they're using

Account Lockout: How to find IP address of soap - AuthRequest

Any way, a combo of threshold rules and blacklists on the firewall have been good enough to keep them at bay.

I've been correlating this activity by cross referencing the times of the audit log lockout messages against the jetty access log to get the IP of the SOAP request (as they don't seem to show up in the audit log - see other thread).

Yep, I really need to get around to installing splunk or something similar to make this easier....

Today when I started receiving more of these login attempts I noticed that somehow our jetty access_log is now 10 hours off (we're GMT+10). I havn't had to look at this since we upgraded to 6.0.8 so perhaps it occured then. How do you change the time offset for the jetty process logging safely in zimbra?

[pixelplumber]

I still have the same problems after upgrading to 6.0.9. The jetty access logs list the time in each log line as

[23/Nov/2010:23:25:26 +0000]

While the actual result of date command is:
Wed Nov 24 09:26:24 EST 2010

Zimbra admin console lists the correct time (Nov 24), as do zwc. It just seems to be jetty access logs that are set to GMT 0.

I've tried looking at the jetty documentation online, Logging Requests - Jetty - Codehaus and it looks like there is a configuration setting to turn on logging of which timezone is appended to the log line, but I can't see a setting to configure the offset.

Is that something configured by the zimbra web app? I can't find anything in the wiki that helps.

[pixelplumber]

bump. Still have the issue.

Would file a bug, but I'm not sure what to send as corroborating evidence in a bug report.