samba - Sep 2016 - Security event log in samba 4.4.5 domain controller

Hi,


I have samba 4.4.5 configured as AD wortking correctly, now I need to
configure Mcafee Logon Collector to receive security event about user
login, this application requires to read security event log about domain
controller
I have tried to connecto to doamin controller form windows server with
connect as and view event log but any event viewer is showed...

I have tried to configure https://wiki.samba.org/index.php/Event_Logging

smb.conf

 eventlog list = Application System Security SyslogLinux

but we don't see any event log related to pdc, how can I do this?

Thanks

Hi,

Error reproduced is
samba  4 the rpc server is unavailable 0x800706ba

How can I solve?

thanks

2016-09-14 11:38 GMT+02:00 Trenta sis <trenta.sis at gmail.com>:
> Hi,
>
>
> I have samba 4.4.5 configured as AD wortking correctly, now I need to
> configure Mcafee Logon Collector to receive security event about user
> login, this application requires to read security event log about domain
> controller
> I have tried to connecto to doamin controller form windows server with
> connect as and view event log but any event viewer is showed...
>
> I have tried to configure https://wiki.samba.org/index.php/Event_Logging
>
> smb.conf
>
>  eventlog list = Application System Security SyslogLinux
>
> but we don't see any event log related to pdc, how can I do this?
>
> Thanks
>
>

On Wed, 2016-09-14 at 11:38 +0200, Trenta sis via samba
wrote:
> Hi,
> 
> 
> I have samba 4.4.5 configured as AD wortking correctly, now I need to
> configure Mcafee Logon Collector to receive security event about user
> login, this application requires to read security event log about
> domain
> controller
> I have tried to connecto to doamin controller form windows server
> with
> connect as and view event log but any event viewer is showed...
> 
> I have tried to configure https://wiki.samba.org/index.php/Event_Logg
> ing
> 
> smb.conf
> 
>  eventlog list = Application System Security SyslogLinux
> 
> but we don't see any event log related to pdc, how can I do this?
Sadly Samba does not support auditing of logon events via the event log
at the moment. 

Indeed, auditing as a whole topic is sadly not well implemented, it is
hard even to get enough of the right info from our log files.  (Level 2
logs give you most of what you want, but it is poorly structured). 

Sorry,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

Hi,

First of all thanks for your answer.

I have tried to configure https://wiki.samba.org/index.php/Event_Logg but
without success and any log generated...
I have tried to add in smb.conf

 eventlog list = Application System Security SyslogLinux


And then connect from windows machien to event viewer, but nothing is
showed... and also tried doc
https://git.samba.org/?psamba.git;a=blob;f=docs-xml/Samba-EventLog-HOWTO.txt;h33b3c1ddc47cf079236e429e7b1cbc549e0e6de5;hb=refs/heads/v4-4-stable
 without success

Can you give some information about how to try if partial implementation it
is enough for mlc? Are there any plans to implement this feature, audit
logon or if It is easy and you give detail I can try..

thanks

2016-09-16 18:27 GMT+02:00 Andrew Bartlett <abartlet at samba.org>:
> On Wed, 2016-09-14 at 11:38 +0200, Trenta sis via samba wrote:
> > Hi,
> >
> >
> > I have samba 4.4.5 configured as AD wortking correctly, now I need to
> > configure Mcafee Logon Collector to receive security event about user
> > login, this application requires to read security event log about
> > domain
> > controller
> > I have tried to connecto to doamin controller form windows server
> > with
> > connect as and view event log but any event viewer is showed...
> >
> > I have tried to configure https://wiki.samba.org/index.php/Event_Logg
> > ing
> >
> > smb.conf
> >
> >  eventlog list = Application System Security SyslogLinux
> >
> > but we don't see any event log related to pdc, how can I do this?
>
> Sadly Samba does not support auditing of logon events via the event log
> at the moment.
>
> Indeed, auditing as a whole topic is sadly not well implemented, it is
> hard even to get enough of the right info from our log files.  (Level 2
> logs give you most of what you want, but it is poorly structured).
>
> Sorry,
>
> Andrew Bartlett
>
> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          http://catalyst.net.nz/
> services/samba
>
>