Hi all, Due to a security breach at my office recently, we need to log successful / failed log-ins.? I've put in "log level = 3" in smb.conf on our active directory domain controller which seems to log what we need, however this is generating massive log files, due to it logging every file opening/closing by all users.? How do I log successful/failed log-ins without having to generate massive files?? Would it be possible to output just the successful/failed log-ins into its own log file? Many thanks for help in advance! Regards - Piers
On Wed, 2020-09-16 at 17:46 +0100, Piers Kittel via samba wrote:> Hi all, > > Due to a security breach at my office recently, we need to log > successful / failed log-ins. I've put in "log level = 3" in smb.conf > on > our active directory domain controller which seems to log what we > need, > however this is generating massive log files, due to it logging > every > file opening/closing by all users. How do I log successful/failed > log-ins without having to generate massive files? Would it be > possible > to output just the successful/failed log-ins into its own log file? > > Many thanks for help in advance!See https://wiki.samba.org/index.php/Setting_up_Audit_Logging -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
There's a note at the top of that document: "Samba only supports logging of succeeded authorization events." Does that mean that it won't log authentication events at all? Because that's implied. I think it would be better, assuming it will log auth events, to say; "Samba only supports logging of *successful* authorization events, not unsuccessful. Samba also supports logging of both successful and unsuccessful auth events." Just my two bits worth. ABvs> On Wed, 2020-09-16 at 17:46 +0100, Piers Kittel via samba wrote:>> Hi all,>> Due to a security breach at my office recently, we need to log >> successful / failed log-ins. I've put in "log level = 3" in smb.conf >> on >> our active directory domain controller which seems to log what we >> need, >> however this is generating massive log files, due to it logging >> every >> file opening/closing by all users. How do I log successful/failed >> log-ins without having to generate massive files? Would it be >> possible >> to output just the successful/failed log-ins into its own log file?>> Many thanks for help in advance!ABvs> See ABvs> https://wiki.samba.org/index.php/Setting_up_Audit_Logging ABvs> -- ABvs> Andrew Bartlett https://samba.org/~abartlet/ ABvs> Authentication Developer, Samba Team https://samba.org ABvs> Samba Developer, Catalyst IT ABvs> https://catalyst.net.nz/services/samba
You could set up an ELK stack, (elsticsearch, logstash, kibana) This is something I'm learning about in the Linux in the real world course on Linux training academy Chris On 9/16/2020 11:46 AM, Piers Kittel via samba wrote:> Hi all, > > Due to a security breach at my office recently, we need to log > successful / failed log-ins.? I've put in "log level = 3" in smb.conf > on our active directory domain controller which seems to log what we > need, however this is generating massive log files, due to it logging > every file opening/closing by all users.? How do I log > successful/failed log-ins without having to generate massive files?? > Would it be possible to output just the successful/failed log-ins into > its own log file? > > Many thanks for help in advance! > > Regards - Piers > >-- Christopher Wensink IS Administrator Five Star Plastics, Inc 1339 Continental Drive Eau Claire, WI 54701 Office: 715-831-1682 Mobile: 715-563-3112 Fax: 715-831-6075 cwensink at five-star-plastics.com www.five-star-plastics.com