Administrative logging service for Samba

Gerald (Jerry) Carter jerry at
Thu Jun 30 16:46:00 GMT 2005

Hash: SHA1

Caleb Jorden wrote:
> Firstly, the logging service will create a common 
> administrative logging interface, probably not significantly
> different from the DEBUG call semantics.  At this point,
> there are a few ways to proceed.


We had/have something like this on the HP Print server
appliance.  Basically boils down to syslog by default:

 Wrapper for Admin Logs.

void sys_adminlog(int priority, const char *format_str, ...)
	va_list ap;
	int ret;
	char *msgbuf = NULL;

	va_start( ap, format_str );
	ret = vasprintf( &msgbuf, format_str, ap );
	va_end( ap );

	if (ret == -1)

#if defined(HAVE_SYSLOG)
	syslog( priority, "%s", msgbuf );
	DEBUG(0,("%s", msgbuf ));

Calls to the sys_adminlog() would then look like

sys_adminlog( LOG_ERR, (char *) gettext( "Authentication failed--
	user authentication via Microsoft networking was unsuccessful.
	User name: %s\\%s. Error: %s"),
	domain, user, get_nt_error_msg(status));

And we parse them right out of syslog.  You could also add a
prefix like LOGTYPE:ID or something if you like by defining
macros around sys_adminlog().

> Next, the backend of the administrative logging system 
> needs to be determined.  A number of options come to mind,
> most of which are not exclusive of the others.
> 1. The logs could be logged to syslog, with possibly different levels
> based upon the eventID or eventTypeID.

This was my initial idea.  The reason is that it integrates
better with existing logging Unix tools.  We can still parse
it from syslog into a db if that would help managing the
eventlog rpc's better.

As I mentioned briefly on IRC, Marcin Porwit has been working
on an event log system in the current SAMBA_3_0 branch.  I would
like to be able to support the sort of arbitrary eventlog
parsing hooks that Marcin has worked on and this new work.

If I were starting from scratch, I think it would be good
to have each service (print, auth, account, etc...). For example,
building on the previous sys_adminlog() prototype...

#define LOG_PRINT_NEW_DRIVER	0x1000

sys_adminlog( LOG_PRINT_NEW_DRIVER, ("New driver installed [%s]\n",

and sys_adminlog() would have a lookup into a table to determine
the log server, severity and event id.

An admin would enable/disable logging services by (e.g. the
auth and account log events)

	log events = auth account

Then the eventlog hooks could point at different tools.
Make sense ?  I feel like I'm rambling a little here.

> One final thing is that I am planning on implementing this 
> in Samba3.

I think Samba 3 would be best for the first round implementation
so we can get feedback from production servers.  Once we figure
out what works, is necessary, is not required, it will be easy
to port to Samba 4.  I may be biased here since we have active
work surrounding logging in Samba 3 at the moment.

cheers, jerry
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird -


More information about the samba-technical mailing list