Thanks Denis, I was looking for the option 'dns:x' in the wiki but I didn't find it. Now it works. I used log level = 3 auth:3 dns:0 auth_audit:3 gives me unknown class message But where I can find a complete list of classes for log level? I'll also give a try on the last version of samba with json. Thanks again Giuseppe On 1/18/2018 4:52 PM, Denis Cardon wrote:> Hi Giuseppe, > > please, stay on the list. > > Le 01/18/2018 à 04:32 PM, Giuseppe Cesa Bianchi a écrit : >> Thank you for your reply but users logon are already logged on log.samba >> (I think when kerberos authenticate it). >> >> My problem is the hundreds of line written by DNS on log, even at log >> level 1. I'm asking if I can do something to stop it. > > In smb.conf, try: > > log level = 1 auth_audit:3 dns:0 > > or in samba 4.7.4 > log level = 1 auth_json_audit:3 dns:0 > > Denis > >> >> Thanks anyway >> >> Giuseppe >> >> >> On 1/18/2018 3:40 PM, Denis Cardon wrote: >>> Hi Giuseppe, >>> >>>> I have two Samba domain controllers version 4.6.4 on Centos 7.3. >>>> >>>> I need to log every login/logout from windows PCs and I read on the >>>> wiki >>>> that I have to set log level >=3, this works. >>>> >>>> The problem is that my log.samba is filled by internal DNS messages, >>>> most of them about forwarding. >>>> >>>> in my smb.conf: >>>> >>>> log level = 3 auth:10 >>>> vfs objects = full_audit >>>> >>>> I googled around but I cannot find anything to avoid this. >>> >>> For login, you should upgrade your server to Samba 4.7.4 and add json >>> auth logging with the auth_json_audit parameter [1]. >>> >>> For logout, it won't be really possible to have a definitive >>> information from the AD point of view. But you can probably script >>> something on your desktop and send it back to the server (if the >>> network connection is still up...) >>> >>> Cheers, >>> >>> Denis >>> >>> [1] https://wiki.samba.org/index.php/Setting_up_Audit_Logging >>> >>> >>>> >>>> Please help me! >>>> >>>> Thanks >>>> >>>> >>> >> >
On Fri, 19 Jan 2018 09:46:53 +0100 Giuseppe Cesa Bianchi via samba <samba at lists.samba.org> wrote:> Thanks Denis, > > I was looking for the option 'dns:x' in the wiki but I didn't find > it. Now it works. > > I used > > log level = 3 auth:3 dns:0 > > auth_audit:3 gives me unknown class message > > But where I can find a complete list of classes for log level? >You could do something strange (it must be strange because nobody does it) like running 'man smb.conf' and then searching for 'log level' ;-) Rowland
Hi Giuseppe,> > I was looking for the option 'dns:x' in the wiki but I didn't find it. > Now it works. > > I used > > log level = 3 auth:3 dns:0 > > auth_audit:3 gives me unknown class messageit must be only available in 4.7. The last increment 4.7.4 is production ready (we've got it deployed on dozens of DCs) and has many nice improvements over 4.6. You should consider upgrading, at least for domain controllers.> But where I can find a complete list of classes for log level?you can run any samba-tool command with debug level 9 and it will start by listing all the logging classes. For example # samba-tool fsmo show -d9 INFO: Current debug levels: all: 9 tdb: 9 printdrivers: 9 lanman: 9 smb: 9 rpc_parse: 9 rpc_srv: 9 rpc_cli: 9 passdb: 9 sam: 9 auth: 9 winbind: 9 vfs: 9 idmap: 9 quota: 9 acls: 9 locking: 9 msdfs: 9 dmapi: 9 registry: 9 scavenger: 9 dns: 9 ldb: 9 tevent: 9 auth_audit: 9 auth_json_audit: 9 kerberos: 9 drs_repl: 9> > I'll also give a try on the last version of samba with json.Json logs are much easier to parse if you need to pipe them into a SIEM or similar. Cheers, Denis> > Thanks again > > Giuseppe > > > > On 1/18/2018 4:52 PM, Denis Cardon wrote: >> Hi Giuseppe, >> >> please, stay on the list. >> >> Le 01/18/2018 à 04:32 PM, Giuseppe Cesa Bianchi a écrit : >>> Thank you for your reply but users logon are already logged on log.samba >>> (I think when kerberos authenticate it). >>> >>> My problem is the hundreds of line written by DNS on log, even at log >>> level 1. I'm asking if I can do something to stop it. >> >> In smb.conf, try: >> >> log level = 1 auth_audit:3 dns:0 >> >> or in samba 4.7.4 >> log level = 1 auth_json_audit:3 dns:0 >> >> Denis >> >>> >>> Thanks anyway >>> >>> Giuseppe >>> >>> >>> On 1/18/2018 3:40 PM, Denis Cardon wrote: >>>> Hi Giuseppe, >>>> >>>>> I have two Samba domain controllers version 4.6.4 on Centos 7.3. >>>>> >>>>> I need to log every login/logout from windows PCs and I read on the >>>>> wiki >>>>> that I have to set log level >=3, this works. >>>>> >>>>> The problem is that my log.samba is filled by internal DNS messages, >>>>> most of them about forwarding. >>>>> >>>>> in my smb.conf: >>>>> >>>>> log level = 3 auth:10 >>>>> vfs objects = full_audit >>>>> >>>>> I googled around but I cannot find anything to avoid this. >>>> >>>> For login, you should upgrade your server to Samba 4.7.4 and add json >>>> auth logging with the auth_json_audit parameter [1]. >>>> >>>> For logout, it won't be really possible to have a definitive >>>> information from the AD point of view. But you can probably script >>>> something on your desktop and send it back to the server (if the >>>> network connection is still up...) >>>> >>>> Cheers, >>>> >>>> Denis >>>> >>>> [1] https://wiki.samba.org/index.php/Setting_up_Audit_Logging >>>> >>>> >>>>> >>>>> Please help me! >>>>> >>>>> Thanks >>>>> >>>>> >>>> >>> >> >-- Denis Cardon Tranquil IT Systems Les Espaces Jules Verne, bâtiment A 12 avenue Jules Verne 44230 Saint Sébastien sur Loire tel : +33 (0) 2.40.97.57.55 http://www.tranquil-it-systems.fr
Rowland, yoy are right, It's the first thing I did but I don't know why I have no man for smb.conf [root at dc2 ~]# man smb.conf No manual entry for smb.conf Perhaps is because I built samba from source and I omitted some option in configure... Thanks Giuseppe On 1/19/2018 10:01 AM, Rowland Penny via samba wrote:> On Fri, 19 Jan 2018 09:46:53 +0100 > Giuseppe Cesa Bianchi via samba <samba at lists.samba.org> wrote: > >> Thanks Denis, >> >> I was looking for the option 'dns:x' in the wiki but I didn't find >> it. Now it works. >> >> I used >> >> log level = 3 auth:3 dns:0 >> >> auth_audit:3 gives me unknown class message >> >> But where I can find a complete list of classes for log level? >> > You could do something strange (it must be strange because nobody does > it) like running 'man smb.conf' and then searching for 'log level' ;-) > > Rowland >
Thanks again Denis, I will follow your tips and sure I'll move to 4.7.4 after I solve this problem Giuseppe On 1/19/2018 10:01 AM, Denis Cardon wrote:> Hi Giuseppe, > >> >> I was looking for the option 'dns:x' in the wiki but I didn't find it. >> Now it works. >> >> I used >> >> log level = 3 auth:3 dns:0 >> >> auth_audit:3 gives me unknown class message > > it must be only available in 4.7. The last increment 4.7.4 is > production ready (we've got it deployed on dozens of DCs) and has many > nice improvements over 4.6. You should consider upgrading, at least > for domain controllers. > >> But where I can find a complete list of classes for log level? > > you can run any samba-tool command with debug level 9 and it will > start by listing all the logging classes. For example > > # samba-tool fsmo show -d9 > INFO: Current debug levels: > all: 9 > tdb: 9 > printdrivers: 9 > lanman: 9 > smb: 9 > rpc_parse: 9 > rpc_srv: 9 > rpc_cli: 9 > passdb: 9 > sam: 9 > auth: 9 > winbind: 9 > vfs: 9 > idmap: 9 > quota: 9 > acls: 9 > locking: 9 > msdfs: 9 > dmapi: 9 > registry: 9 > scavenger: 9 > dns: 9 > ldb: 9 > tevent: 9 > auth_audit: 9 > auth_json_audit: 9 > kerberos: 9 > drs_repl: 9 > >> >> I'll also give a try on the last version of samba with json. > > Json logs are much easier to parse if you need to pipe them into a > SIEM or similar. > > Cheers, > > Denis > >> >> Thanks again >> >> Giuseppe >> >> >> >> On 1/18/2018 4:52 PM, Denis Cardon wrote: >>> Hi Giuseppe, >>> >>> please, stay on the list. >>> >>> Le 01/18/2018 à 04:32 PM, Giuseppe Cesa Bianchi a écrit : >>>> Thank you for your reply but users logon are already logged on >>>> log.samba >>>> (I think when kerberos authenticate it). >>>> >>>> My problem is the hundreds of line written by DNS on log, even at log >>>> level 1. I'm asking if I can do something to stop it. >>> >>> In smb.conf, try: >>> >>> log level = 1 auth_audit:3 dns:0 >>> >>> or in samba 4.7.4 >>> log level = 1 auth_json_audit:3 dns:0 >>> >>> Denis >>> >>>> >>>> Thanks anyway >>>> >>>> Giuseppe >>>> >>>> >>>> On 1/18/2018 3:40 PM, Denis Cardon wrote: >>>>> Hi Giuseppe, >>>>> >>>>>> I have two Samba domain controllers version 4.6.4 on Centos 7.3. >>>>>> >>>>>> I need to log every login/logout from windows PCs and I read on the >>>>>> wiki >>>>>> that I have to set log level >=3, this works. >>>>>> >>>>>> The problem is that my log.samba is filled by internal DNS messages, >>>>>> most of them about forwarding. >>>>>> >>>>>> in my smb.conf: >>>>>> >>>>>> log level = 3 auth:10 >>>>>> vfs objects = full_audit >>>>>> >>>>>> I googled around but I cannot find anything to avoid this. >>>>> >>>>> For login, you should upgrade your server to Samba 4.7.4 and add json >>>>> auth logging with the auth_json_audit parameter [1]. >>>>> >>>>> For logout, it won't be really possible to have a definitive >>>>> information from the AD point of view. But you can probably script >>>>> something on your desktop and send it back to the server (if the >>>>> network connection is still up...) >>>>> >>>>> Cheers, >>>>> >>>>> Denis >>>>> >>>>> [1] https://wiki.samba.org/index.php/Setting_up_Audit_Logging >>>>> >>>>> >>>>>> >>>>>> Please help me! >>>>>> >>>>>> Thanks >>>>>> >>>>>> >>>>> >>>> >>> >> >