[Samba] tracking user activity - Active Directory

Bob Miller bob at computerisms.ca
Thu Mar 7 13:17:40 MST 2013


Some mischief happened and I have been asked if I can find out who was
logged into their computers within a specific off-hours time frame.  My
logs for that time frame happened to be running at debug level 3, so I
have been looking through them and trying to figure out how to recognize
a workstation login.  I find lines beginning with
auth_check_password_send that seem like reasonably good candidates, but
I have a number of other services such as email authenticating against
the AD, and it seems that is just as likely to describe a mail log in as
it is a workstation login.  Is there a way, or some documentation that
will explain how, to parse the log files and determine which
workstations were actively in use and by which account?  Or are there
any tools that will parse the log files and provide me such information?

Bob Miller      
867-334-7117 / 867-633-3760

More information about the samba mailing list