Information on using zmauditwatch is very scarce on the forums and the documentation only has a brief overview of the feature.

I've configured a failed login policy with the following settings:
Consecutive failed logins allowed: 5
Time to lockout: 1 hour
Time window: 15 minutes

(Please comment if my settings could be improved)

With regards to zmauditwatch I need to set the following:
zmlocalconfig -e zimbra_swatch_notice_user=admin@domain.com
zmlocalconfig -e zimbra_swatch_ipacct_threshold=10
zmlocalconfig -e zimbra_swatch_acct_threshold=15
zmlocalconfig -e zimbra_swatch_ip_threshold=20
zmlocalconfig -e zimbra_swatch_total_threshold=60
zmlocalconfig -e zimbra_swatch_threshold_seconds=60

Should the zmauditwatch values be the same as those in the failed login policy?

Any recommendations from those of you who use zmauditwatch are much appreciated.

Thanks