samba - Feb 2005 - Audit Trail/Logging For Network Logons and Logoffs

Hi Folks,

I have searched the archives and the web for this issue, but I haven't found
an answer.

I need to be able to log or audit the network access of our network users.
This information needs to be used in conjuction with a time and attendance
punch clock.

I have seen much discussion of using preexec and postexec for obtaining a
network access log.  However, my testing has shown this as unreliable.  It
seems Windows logs in and logs out at (nearly) random and the collected
information seems useless as I haven't discovered a useful way to collect or
parse the collected information.  I have tested on various shares as well. 

Surely this has been an issue for many?  If so, how have you resolved this
problem? Is the solution dependent on a particular version of Samba?

Thanks to all contributors for a truly fine and useful software.

Thanks in advance for all responses.

G

On Fri, 2005-02-25 at 12:51 -0700, Gene Cooper wrote:
> Hi Folks,
> 
> I have searched the archives and the web for this issue, but I haven't
found
> an answer.
> 
> I need to be able to log or audit the network access of our network users.
> This information needs to be used in conjuction with a time and attendance
> punch clock.
> 
> I have seen much discussion of using preexec and postexec for obtaining a
> network access log.  However, my testing has shown this as unreliable.  It
> seems Windows logs in and logs out at (nearly) random and the collected
> information seems useless as I haven't discovered a useful way to
collect or
> parse the collected information.  I have tested on various shares as well. 
The best you will get is the utmp information, as this is more accurate
than the per-share info (due to multiple users of a given share).

I've long proposed to implement 'session exec' scripts for this
purpose,
but never got around to it (and I don't do Samba3 any more).

However, if you read the discussion that occurred last year on
'preventing multiple simultaneous logons', you will see why this is so,
so hard to get right.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20050302/73217976/attachment.bin

On Fri, 2005-02-25 at 12:51 -0700, Gene Cooper wrote:
> Hi Folks,
> 
> I have searched the archives and the web for this issue, but I haven't
found
> an answer.
> 
> I need to be able to log or audit the network access of our network users.
> This information needs to be used in conjuction with a time and attendance
> punch clock.
> 
> I have seen much discussion of using preexec and postexec for obtaining a
> network access log.  However, my testing has shown this as unreliable.  It
> seems Windows logs in and logs out at (nearly) random and the collected
> information seems useless as I haven't discovered a useful way to
collect
or
> parse the collected information.  I have tested on various shares as well.

Are you just looking for logon/logoff times?  I think you can put something
in the logon/logoff scripts that will do that.

Logon tracking:
@echo off
echo %USERNAME% Logon >> \\server\hiddenshare\%USERNAME%.log  & date
/t >>
\\server\hiddenshare\%USERNAME%.log & time /t >>
\\server\hiddenshare\%USERNAME%.log


Logoff tracking:
@echo off
echo %USERNAME% Logoff >> \\server\hiddenshare\%USERNAME%.log  & date
/t >>
\\server\hiddenshare\%USERNAME%.log & time /t >>
\\server\hiddenshare\%USERNAME%.log

I'm not using logoff scripts, but I googled "NT +"logoff
scripts"" and
came up with a bunch of promising links.  They point to either
Policy settings or GINA to enable/control logon/logoff settings.

Hope this helps,
  Jim Van Sickler