There's a note at the top of that document: "Samba only supports logging of succeeded authorization events." Does that mean that it won't log authentication events at all? Because that's implied. I think it would be better, assuming it will log auth events, to say; "Samba only supports logging of *successful* authorization events, not unsuccessful. Samba also supports logging of both successful and unsuccessful auth events." Just my two bits worth. ABvs> On Wed, 2020-09-16 at 17:46 +0100, Piers Kittel via samba wrote:>> Hi all,>> Due to a security breach at my office recently, we need to log >> successful / failed log-ins. I've put in "log level = 3" in smb.conf >> on >> our active directory domain controller which seems to log what we >> need, >> however this is generating massive log files, due to it logging >> every >> file opening/closing by all users. How do I log successful/failed >> log-ins without having to generate massive files? Would it be >> possible >> to output just the successful/failed log-ins into its own log file?>> Many thanks for help in advance!ABvs> See ABvs> https://wiki.samba.org/index.php/Setting_up_Audit_Logging ABvs> -- ABvs> Andrew Bartlett https://samba.org/~abartlet/ ABvs> Authentication Developer, Samba Team https://samba.org ABvs> Samba Developer, Catalyst IT ABvs> https://catalyst.net.nz/services/samba
Yeah, it's a wiki. Go for your life! Adding info on the per-log class stuff to log into different files like dsdb_password_json_audit:4@/var/log/samba/password.log would be awesome too. Andrew Bartlett On Wed, 2020-09-16 at 10:53 -0700, Gregory Sloop via samba wrote:> There's a note at the top of that document: > > "Samba only supports logging of succeeded authorization events." > > Does that mean that it won't log authentication events at all? > Because that's implied. > > I think it would be better, assuming it will log auth events, to say; > "Samba only supports logging of *successful* authorization events, > not unsuccessful. Samba also supports logging of both successful and > unsuccessful auth events." > > Just my two bits worth. > > > > ABvs> On Wed, 2020-09-16 at 17:46 +0100, Piers Kittel via samba > wrote: > > > Hi all, > > > Due to a security breach at my office recently, we need to log > > > successful / failed log-ins. I've put in "log level = 3" in > > > smb.conf > > > on > > > our active directory domain controller which seems to log what we > > > need, > > > however this is generating massive log files, due to it logging > > > every > > > file opening/closing by all users. How do I log > > > successful/failed > > > log-ins without having to generate massive files? Would it be > > > possible > > > to output just the successful/failed log-ins into its own log > > > file? > > > Many thanks for help in advance! > > ABvs> See > > ABvs> https://wiki.samba.org/index.php/Setting_up_Audit_Logging > ABvs> -- > ABvs> Andrew Bartlett > https://samba.org/~abartlet/ > ABvs> Authentication Developer, Samba Team https://samba.org > ABvs> Samba Developer, Catalyst IT > ABvs> https://catalyst.net.nz/services/samba >-- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
ABvs> Yeah, it's a wiki. Go for your life! I can do that - I just was not sure I was right and didn't want to put something in the wiki that wasn't factually accurate. So, just to be extra explicit. Samba can log both sucessful and failed authentications, but only successful authorizations, not unsuccessful authorizations. Right? ABvs> Adding info on the per-log class stuff to log into different files ABvs> like ABvs> dsdb_password_json_audit:4@/var/log/samba/password.log ABvs> would be awesome too. ABvs> Andrew Bartlett ABvs> On Wed, 2020-09-16 at 10:53 -0700, Gregory Sloop via samba wrote:>> There's a note at the top of that document:>> "Samba only supports logging of succeeded authorization events.">> Does that mean that it won't log authentication events at all? >> Because that's implied.>> I think it would be better, assuming it will log auth events, to say; >> "Samba only supports logging of *successful* authorization events, >> not unsuccessful. Samba also supports logging of both successful and >> unsuccessful auth events.">> Just my two bits worth.