Administrative logging service for Samba

Stefan (metze) Metzmacher metze at samba.org
Mon Jun 27 16:27:13 GMT 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Caleb Jorden schrieb:
> I am interested in implementing an administrative logging service for 
> samba.  This functionality would be similar to the debug logs, but would 
> contain activities which a system administrator would be interested in 
> knowing.  For example, especially when samba is a domain controller, it is 
> imperative that the administrator know when an attack is occurring on his 
> or her domain.  There currently does not exist a clean way to ascertain 
> this information from the samba logs.  If one turns on debug logging at a 
> sufficiently high level, the events can at least be inferred, but not 
> without wading through a lot of other information which is not related to 
> the administrative events.
> 
> I will outline what I have in mind, and I would appreciate any feedback 
> that interested parties would have for me about my current plan.
> 
> Firstly, the logging service will create a common administrative logging 
> interface, probably not significantly different from the DEBUG call 
> semantics.  At this point, there are a few ways to proceed.
> 
> 1. The information could be logged in a string-only form.
>         - Example: ADMINLOG("Account %s was administratively locked 
> out\n", username);
> 
> 2. The information could be tagged with a unique eventID.
>         - Example: ADMINLOG(ADMINLOG_ACCOUNT_LOCKOUT, "Account %s was 
> administratively locked out\n", username);
>                 (*where ADMINLOG_ACCOUNT_LOCKOUT would be a #define in a 
> header which would contain a common mapping of eventIDs<=>names)
> 
> 3. The information could be tagged with a unique eventTypeID..
>         - Example: ADMINLOG(ADMINLOG_SECURITY, "Account %s was 
> administratively locked out\n", username);
> 
> 4. The information could be tagged with both an eventTypeID and an eventID
>         - Example: ADMINLOG(ADMINLOG_SECURITY, 
> ADMINLOG_SECURITY_ACCOUNT_LOCKOUT,
>                                 "Account %s was administratively locked 
> out\n", username);
> 
> I prefer option 4, because it would allow for specific types of logging 
> events to be filtered by a configuration option in smb.conf, and would 
> allow for specific searches and sorting of results.
> 
> 
> 
> Next, the backend of the administrative logging system needs to be 
> determined.  A number of options come to mind, most of which are not 
> exclusive of the others.
> 
> 1. The logs could be logged to syslog, with possibly different levels 
> based upon the eventID or eventTypeID.
> 
> 2. The logs could be logged to one or more flat files.
> 
> 3. The logs could be stored in some sort of binary or XML form readable 
> with the Event Viewer RPCs or other tools created for this job.
> 
> 4. The logs could be stored in a (SQL) database which could be queried for 
> specific eventIDs or eventTypeIDs, and the results sorted as desired.
> 
> I think that, quite likely, multiple of these options could prove useful. 
> I would probably start with option 2, since this would provide an easy way 
> to get the system working.  After the system is in place, however, I or 
> someone else could add more administrative logging backend modules as 
> needed.  I think that it would be useful to have a generic architecture 
> from the beginning which would facilitate the easy extension of the 
> backend system to different logging destinations.  This is one reason I am 
> in favor of having an eventID and an eventTypeID.  That way information 
> can be categorized more finely eventually than may be reasonable or 
> possible in the first iteration of this project.
> 
> 
> 
> One final thing is that I am planning on implementing this in Samba3. Does 
> anyone know if such a thing exists yet in Samba4?  I have not looked at 
> the Samba4 system yet, since it seems that Samba3 will be the production 
> version for quite some time.  However, I would be interested in knowing if 
> such a system is in Samba4 so that I might be able to make my system as 
> much like it to facilitate the easy transition for administrators to 
> Samba4 when the time comes.

there were some discussion on that in samba4 the last month,

look this threads

http://lists.samba.org/archive/samba-technical/2005-June/041137.html

and maybe also this:

http://lists.samba.org/archive/samba-technical/2005-May/041049.html

- --
metze

Stefan Metzmacher <metze at samba.org> www.samba.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3-nr1 (Windows XP)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCwCjem70gjA5TCD8RAvxcAJ94hfgS++7CwTw/CWIkgCKSUh1OoACgv963
2nDe0HFOqSWN84FNiu1ldoE=
=T3W2
-----END PGP SIGNATURE-----


More information about the samba-technical mailing list