Administrative logging service for Samba
David Collier-Brown
David.Collier-Brown at Sun.COM
Mon Jun 27 17:54:45 GMT 2005
Caleb Jorden schrieb:
>>I am interested in implementing an administrative logging service for
>>samba. This functionality would be similar to the debug logs, but would
>>contain activities which a system administrator would be interested in
>>knowing. For example, especially when samba is a domain controller, it is
>>imperative that the administrator know when an attack is occurring on his
>>or her domain.
[...]
>>4. The information could be tagged with both an eventTypeID and an eventID
>> - Example: ADMINLOG(ADMINLOG_SECURITY,
>>ADMINLOG_SECURITY_ACCOUNT_LOCKOUT,
>> "Account %s was administratively locked
>>out\n", username);
Stefan (metze) Metzmacher wrote:
>>I prefer option 4, because it would allow for specific types of logging
>>events to be filtered by a configuration option in smb.conf, and would
>>allow for specific searches and sorting of result.
This is a commonly reinvented wheel, and the version you
suggested in (4) is the round one (;-))
A maximally useful log message contains a number of fixed
items, usually in a fixed-format header of some sort, and
text for the human reader to use to understand the implications
of the problem.
From memory, the fixed information includes enough to allow
for mechanical sorting by nastiness and occasionally mechanical
processing:
- date/time
- origin, meaning machine- or domain-name
- source, in some detail,, including the executable name
and process id as a minimum, if applicable,
and optionally the file, function and line,
it is good to make this one token, for ease of
parsing and resilience when one line has
"sendmail:parse.c:parse_it:332:1948" and another has
only "mconnect:1293"
- pre-classification, meaning the application type, error type
and severity. DFAs can switch on this, and should.
The old ARPA format was <error type> <source> <severity>
as three decimal digits, which you still see when
smtp says "250 ok". The 2 was permanent success, the 5
meant "the app", in this case smtp, and 0 was the severity.
I prefer ascii, not numbers (;-))
- then the text for the human, saying the meaning of the error,
the same way you're supposed to write the **meaning**
of code in comments, not just say what the code does.
Syslog does about half of this, yours does most:
for example
ADMINLOG -- implies origin and source
(ADMINLOG_SECURITY, -- preclassification, app type
ADMINLOG_SECURITY_ACCOUNT_LOCKOUT, -- preclass, error type
"Account %s was administratively locked" -- message for human
I'd suggest saying which account, and optionally a severity,
such as {for 3 minutes, for a day, until overridden, permanent}
such as
ADMINLOG(ADMINLOG_SECURITY,ADMINLOG_SECURITY_ACCOUNT_LOCKOUT,REPEATED_LOGIN_ATTEMPTS,
"Account %s login failed more than 3 times, locked for 1 day", user);
which would be selected via the fixed header into a processing
script for just timed lockouts, sorted on user, counted and reported
whenever a user was locked more than N times in a fixed period
--dave
--
David Collier-Brown, | Always do right. This will gratify
Sun Microsystems, Toronto | some people and astonish the rest
davecb at canada.sun.com | -- Mark Twain
(416) 263-5733 (x65733) |
More information about the samba-technical
mailing list