[Samba] tracking user activity - Active Directory
Bob Miller
bob at computerisms.ca
Thu Mar 7 16:10:53 MST 2013
Thanks Gregory,
I appreciate your answer, but this isn't quite what I am looking for.
I am using samba4 compiled from source, and I am using daemontools to
run it, so all the logs are being captured on stdout and dumped into a
file, but I understand your point about where the logs are and how to
search them.
What I am looking for might be better described like so:
grep "Mar 5" sambalogfile | grep <string showing a workstation was
logged into>
Note that I am not looking to see if a specific user logged in during a
specific time, but for all users that performed a login in during a
specific time.
Also, because I have multiple services authenticating against this
active directory, how do I tell the difference between a user logging
into a workstation and a user logging into webmail (and being
authenticated by Active Directory) from outside the organization?
--
Computerisms
Bob Miller
867-334-7117 / 867-633-3760
http://computerisms.ca
On Thu, 2013-03-07 at 14:38 -0600, Gregory Carter wrote:
> Yes.
>
> Under /var/log/samba in a typical distro you will find the log files for
> each IP address/workstation connected to the samba server.
>
> You could then use egrep to go through the files and look for various
> logins.
>
> A typical example would be:
>
> egrep -in "gcarter|Mar 5" log*
>
> The above example looks through all of the log files beginning with
> "log" and looks for the samba user name and date associated with the name.
>
> If you are not capturing that sort of detail, depending on how you have
> your smbd process configured, you might be out of luck.
>
> You can use the same technique on any log file including Email if you
> are running a email/smtp/pop server of course for searching information.
>
> -gc
>
> On 03/07/2013 02:17 PM, Bob Miller wrote:
> > Hello,
> >
> > Some mischief happened and I have been asked if I can find out who was
> > logged into their computers within a specific off-hours time frame. My
> > logs for that time frame happened to be running at debug level 3, so I
> > have been looking through them and trying to figure out how to recognize
> > a workstation login. I find lines beginning with
> > auth_check_password_send that seem like reasonably good candidates, but
> > I have a number of other services such as email authenticating against
> > the AD, and it seems that is just as likely to describe a mail log in as
> > it is a workstation login. Is there a way, or some documentation that
> > will explain how, to parse the log files and determine which
> > workstations were actively in use and by which account? Or are there
> > any tools that will parse the log files and provide me such information?
> >
>
More information about the samba
mailing list