[Samba] tracking user activity - Active Directory

Gregory Carter gcarter at aesgi.com
Thu Mar 7 13:38:39 MST 2013


Under /var/log/samba in a typical distro you will find the log files for 
each IP address/workstation connected to the samba server.

You could then use egrep to go through the files and look for various 

A typical example would be:

egrep -in "gcarter|Mar 5" log*

The above example looks through all of the log files beginning with 
"log" and looks for the samba user name and date associated with the name.

If you are not capturing that sort of detail, depending on how you have 
your smbd process configured, you might be out of luck.

You can use the same technique on any log file including Email if you 
are running a email/smtp/pop server of course for searching information.


On 03/07/2013 02:17 PM, Bob Miller wrote:
> Hello,
> Some mischief happened and I have been asked if I can find out who was
> logged into their computers within a specific off-hours time frame.  My
> logs for that time frame happened to be running at debug level 3, so I
> have been looking through them and trying to figure out how to recognize
> a workstation login.  I find lines beginning with
> auth_check_password_send that seem like reasonably good candidates, but
> I have a number of other services such as email authenticating against
> the AD, and it seems that is just as likely to describe a mail log in as
> it is a workstation login.  Is there a way, or some documentation that
> will explain how, to parse the log files and determine which
> workstations were actively in use and by which account?  Or are there
> any tools that will parse the log files and provide me such information?

More information about the samba mailing list