samba - Jan 2018 - Export authentication & authorisation logs to Windows Event Viewer

Hi,

Can we export the samba audit logs (Authentication & Authorisation Logs) 
to Windows Event Viewer?

I am trying to export the authentication & authorisation logs to a 
Windows Server to be shown in Windows Event Viewer. I read the link - 
https://wiki.samba.org/index.php/Event_Logging. But couldn't follow much.

Can someone throw more light on the procedure, if it is possible?

-- 

Thanks & Regards,


Anantha Raghava


Do not print this e-mail unless required. Save Paper & trees.

On Sat, 2018-01-06 at 12:21 +0530, Anantha Raghava via samba
wrote:
> Hi,
> 
> Can we export the samba audit logs (Authentication & Authorisation
Logs)
> to Windows Event Viewer?
> 
> I am trying to export the authentication & authorisation logs to a 
> Windows Server to be shown in Windows Event Viewer. I read the link - 
> https://wiki.samba.org/index.php/Event_Logging. But couldn't follow
much.
> 
> Can someone throw more light on the procedure, if it is possible?
Sadly not at this time.  I actually have a client task pending to look
into this better, but for now if you want to use the modern event
viewer it looks like quite a large protocol built on binary XML.  

The older eventlog protocol is still around, and it might be easier to
fill in that database.  Can you clarify if you would be wanting
eventlog or eventlog6 support?  While I don't wish to give false hopes,
it would be really helpful for the 'scoping study' I've been asked
to
do if I knew better what users need here.

Additionally, I understand there are some security appliances etc that
use event log to get audit information from AD for security purposes. 
If you or anyone else on the list uses one of these and can tell me a
little about them (names, versions, ideally get me a network trace of
it in action or where I can get a demo) that would also be really
helpful. 

Thanks,

Andrew Bartlett

-- 
> 
> Thanks & Regards,
> 
> 
> Anantha Raghava
> 
> 
> Do not print this e-mail unless required. Save Paper & trees.
> 
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

On Sat, 2018-01-06 at 14:05 +0530, Anantha Raghava
wrote:
> Hello Andrew,
> 
> Thanks for quick response.
> 
> The requirement here is, we are deploying a Smokescreen IllusionBLACK
appliance for cyber security(Deception technology, unfortunately this appliance
is built on Windows), and Active Directory Decoys are created. A task is created
in the appliance that can read the AD evernt viewer and notify on login pass or
fail. Attached is the schematic for your information.
> 
> You can get more details from https://www.smokescreen.io/IllusionBLACK/ and
you can also setup your demo.
> Unfortunately, this cannot read either syslog or JSON format. We even
checked, if we, using some script, can write these logs into a text file on a
Windows Server, whether it can read, but the answer is a Big NO. It uses the
PowerShell to read the Windows Events and notifies when a specific event occurs.
> 
> For now, older eventlog format is good, not sure about future.
Very interesting.  Does it connect and just see no events, or does it
fail to connect?  Have you tried injecting a fake event as directed by
that wiki page and see if it works?  (It would be a much simpler task
to extend the audit code if that were the case, or you could even write
the transformation tool). 

Naturally I'll follow up with them about a demo.

Thanks,

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

Hello Andrew,

The appliance can connect, but cannot see the events.

I did attempt the procedure given in the wiki, but could not get the dll 
part going.

-- 

Thanks & Regards,


Anantha Raghava


Do not print this e-mail unless required. Save Paper & trees.

On 06/01/18 2:12 PM, Andrew Bartlett wrote:
> On Sat, 2018-01-06 at 14:05 +0530, Anantha Raghava wrote:
>> Hello Andrew,
>>
>> Thanks for quick response.
>>
>> The requirement here is, we are deploying a Smokescreen IllusionBLACK
appliance for cyber security(Deception technology, unfortunately this appliance
is built on Windows), and Active Directory Decoys are created. A task is created
in the appliance that can read the AD evernt viewer and notify on login pass or
fail. Attached is the schematic for your information.
>>
>> You can get more details from https://www.smokescreen.io/IllusionBLACK/
and you can also setup your demo.
>> Unfortunately, this cannot read either syslog or JSON format. We even
checked, if we, using some script, can write these logs into a text file on a
Windows Server, whether it can read, but the answer is a Big NO. It uses the
PowerShell to read the Windows Events and notifies when a specific event occurs.
>>
>> For now, older eventlog format is good, not sure about future.
> Very interesting.  Does it connect and just see no events, or does it
> fail to connect?  Have you tried injecting a fake event as directed by
> that wiki page and see if it works?  (It would be a much simpler task
> to extend the audit code if that were the case, or you could even write
> the transformation tool).
>
> Naturally I'll follow up with them about a demo.
>
> Thanks,
>
> Andrew Bartlett