[Samba] Samba log analyzer

Bart Hendrix hendrix at worldpilot.nl
Thu Jan 13 06:13:07 GMT 2005 

Hi All,

We use LogWatch for our Samba server.

The reports looks like the following:


################### LogWatch 4.3.2 (02/18/03) ####################
       Processing Initiated: Thu Jan 13 04:02:13 2005
       Date Range Processed: yesterday
     Detail Level of Output: 0
          Logfiles for Host: samba3
 ################################################################

 --------------------- Named Begin ------------------------ 

Zone update refused:
   172.17.6.3 (intra.nlcom.nl/IN): 43 Time(s)

 ---------------------- Named End ------------------------- 


 --------------------- samba Begin ------------------------ 


**Unmatched Entries**
auth/auth.c:check_ntlm_password(219)  check_ntlm_password:  Checking 
password for unmapped user [COMMERS2]\[Commers Health]@[COMMERS2] with the 
new password interface : 1 Time(s)
auth/auth.c:check_ntlm_password(219)  check_ntlm_password:  Checking 
password for unmapped user []\[]@[CGOES-PC] with the new password interface 
: 6 Time(s)
auth/auth.c:check_ntlm_password(219)  check_ntlm_password:  Checking 
password for unmapped user []\[]@[CM182760-A] with the new password 
interface : 7 Time(s)
auth/auth.c:check_ntlm_password(219)  check_ntlm_password:  Checking 
password for unmapped user []\[]@[COMMERS2] with the new password interface 
: 1 Time(s)
auth/auth.c:check_ntlm_password(219)  check_ntlm_password:  Checking 
password for unmapped user []\[]@[SCHAAFPC] with the new password interface 
: 1 Time(s)
auth/auth.c:check_ntlm_password(222)  check_ntlm_password:  mapped user is: 
[NLCOM-NL]\[Commers Health]@[COMMERS2] : 1 Time(s)
auth/auth.c:check_ntlm_password(222)  check_ntlm_password:  mapped user is: 
[NLCOM-NL]\[]@[CGOES-PC] : 6 Time(s)
auth/auth.c:check_ntlm_password(222)  check_ntlm_password:  mapped user is: 
[NLCOM-NL]\[]@[CM182760-A] : 7 Time(s)
auth/auth.c:check_ntlm_password(222)  check_ntlm_password:  mapped user is: 
[NLCOM-NL]\[]@[COMMERS2] : 1 Time(s)
auth/auth.c:check_ntlm_password(222)  check_ntlm_password:  mapped user is: 
[NLCOM-NL]\[]@[SCHAAFPC] : 1 Time(s)
auth/auth.c:check_ntlm_password(268)  check_ntlm_password: guest 
authentication for user [] succeeded : 15 Time(s)
auth/auth.c:check_ntlm_password(312)  check_ntlm_password:  Authentication 
for user [Commers Health] -> [Commers Health] FAILED with error 
NT_STATUS_NO_SUCH_USER : 1 Time(s)
auth/auth_sam.c:check_sam_security(244)  check_sam_security: Couldn't find 
user 'Commers Health' in passdb file. : 1 Time(s)
auth/auth_winbind.c:check_winbind_security(80)  check_winbind_security: Not 
using winbind, requested domain [NLCOM-NL] was for this SAM. : 1 Time(s)
lib/interface.c:add_interface(79)  added interface ip=172.16.20.1 
bcast=172.16.20.255 nmask=255.255.255.0 : 2 Time(s)
lib/interface.c:add_interface(79)  added interface ip=172.17.6.3 
bcast=172.17.255.255 nmask=255.255.0.0 : 2 Time(s)
lib/interface.c:add_interface(79)  added interface ip=192.168.184.1 
bcast=192.168.184.255 nmask=255.255.255.0 : 2 Time(s)
lib/smbldap.c:smbldap_connect_system(804)  ldap_connect_system: succesful 
connection to the LDAP server : 125 Time(s)
lib/smbldap.c:smbldap_connect_system(804)  ldap_connect_system: succesful 
connection to the LDAP server  smbldap_open_connection: connection opened : 
1 Time(s)
lib/smbldap.c:smbldap_open_connection(638) : 1 Time(s)
lib/smbldap.c:smbldap_open_connection(638)  smbldap_open_connection: 
connection opened : 125 Time(s)
lib/smbldap.c:smbldap_search_domain_info(1319)  Searching 
for:[(&(objectClass=sambaDomain)(sambaDomainName=NLCOM-NL))] : 126 Time(s)
lib/sysquotas.c:sys_get_quota(413)  sys_get_vfs_quota() failed for 
mntpath[/work] bdev[/dev/sda1] qtype[2] id[1007]: Invalid argument : 1 
Time(s)
lib/sysquotas.c:sys_get_quota(413)  sys_get_vfs_quota() failed for 
mntpath[/work] bdev[/dev/sda1] qtype[4] id[513]: Invalid argument : 1 
Time(s)
lib/util_seaccess.c:se_access_check(251) : 38 Time(s)
lib/util_seaccess.c:se_access_check(252)  se_access_check: user sid is 
S-1-5-21-1415303871-1163983296-3890754924-3014  se_access_check: also 
S-1-5-21-1415303871-1163983296-3890754924-2027  se_access_check: also 
S-1-1-0  se_access_check: also S-1-5-2  se_access_check: also S-1-5-11 
se_access_check: also S-1-5-21-1415303871-1163983296-3890754924-512 
se_access_check: also S-1-5-21-1415303871-1163983296-3890754924-513 
se_access_check: also S-1-5-21-1415303871-1163983296-3890754924-2089 
se_access_check: also S-1-5-21-1415303871-1163983296-3890754924-3001 : 6 
Time(s)
lib/util_seaccess.c:se_access_check(252)  se_access_check: user sid is 
S-1-5-21-1415303871-1163983296-3890754924-501  se_access_check: also 
S-1-5-21-1415303871-1163983296-3890754924-514  se_access_check: also S-1-1-0 
se_access_check: also S-1-5-2  se_access_check: also S-1-5-32-546 
se_access_check: also S-1-5-21-1415303871-1163983296-3890754924-1199 : 32 
Time(s)
lib/util_sock.c:get_peer_addr(1000)  getpeername failed. Error was Transport 
endpoint is not connected : 23 Time(s)
lib/util_sock.c:send_smb(647) : 1 Time(s)
lib/util_sock.c:write_socket_data(430) : 1 Time(s)
libsmb/ntlmssp.c:debug_ntlmssp_flags(62)  Got NTLMSSP neg_flags=0x60088215 : 
15 Time(s)
libsmb/ntlmssp.c:debug_ntlmssp_flags(62)  Got NTLMSSP neg_flags=0xe2088297 : 
66 Time(s)
libsmb/ntlmssp.c:ntlmssp_server_auth(615)  Got user=[Commers Health] 
domain=[COMMERS2] workstation=[COMMERS2] len1=24 len2=24 : 1 Time(s)
libsmb/ntlmssp.c:ntlmssp_server_auth(615)  Got user=[] domain=[] 
workstation=[CGOES-PC] len1=1 len2=0 : 11 Time(s)
libsmb/ntlmssp.c:ntlmssp_server_auth(615)  Got user=[] domain=[] 
workstation=[CM182760-A] len1=1 len2=0 : 42 Time(s)
.
.
.
.
.
 ---------------------- samba End ------------------------- 


 --------------------- SSHD Begin ------------------------ 


Users logging in through sshd:
   root logged in from host216.intra.nlcom.nl (172.17.6.216) using 
publickey: 1 Time(s)

 ---------------------- SSHD End ------------------------- 



------------------ Disk Space --------------------

Filesystem            Size  Used Avail Use% Mounted on
/dev/LVM1/Volume1      72G  9.0G   59G  14% /
/dev/hda1              99M   25M   69M  27% /boot
none                  756M     0  756M   0% /dev/shm
/dev/sda1              74G   56G   15G  80% /work

and so on


Maybe this can help you?

Greetz Bart


----- Original Message ----- 
From: "Robert Schetterer" <robert at schetterer.org>
To: "Rodrigo Noroaldo de Castro Fernandes" <r.fernandes at darumaorga.com.br>
Cc: <samba at lists.samba.org>
Sent: Wednesday, January 12, 2005 11:04 PM
Subject: Re: [Samba] Samba log analyzer


> Hi Rodrigo,
> as far i know there is no special tool alive for this job.
> Regards
>
> Rodrigo Noroaldo de Castro Fernandes schrieb:
>
>> Dear all,
>>
>>     I would like to know if there is/are any program to analyze the
>> SAMBA log, and if possible create some reports with statistics (logon,
>> files access, etc).
>>
>> Best brazilian regards,
>>
>> Rodrigo
>
>


--------------------------------------------------------------------------------


> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list