[Samba] tracking user activity - Active Directory

Thomas Simmons twsnnva at gmail.com
Thu Mar 7 16:44:57 MST 2013 

FYI - you may want to add something like 'log file =
/tmp/samba/%m.samba.log' to your smb.conf. This way samba will create
individual log files for each system.

On Thu, Mar 7, 2013 at 6:32 PM, Thomas Simmons <twsnnva at gmail.com> wrote:

> Have you tried something like tail -f log.samba > tmp.log.samba
> and immediately logging into workstation to see exactly how it gets logged?
> If your server is processing a lot of requests you may have a bunch of
> lines to dig through, but I think it would be much easier than a complete
> log file.
>
>
> On Thu, Mar 7, 2013 at 6:10 PM, Bob Miller <bob at computerisms.ca> wrote:
>
>> Thanks Gregory,
>>
>> I appreciate your answer, but this isn't quite what I am looking for.
>>
>> I am using samba4 compiled from source, and I am using daemontools to
>> run it, so all the logs are being captured on stdout and dumped into a
>> file, but I understand your point about where the logs are and how to
>> search them.
>>
>> What I am looking for might be better described like so:
>>
>> grep "Mar 5" sambalogfile | grep <string showing a workstation was
>> logged into>
>>
>> Note that I am not looking to see if a specific user logged in during a
>> specific time, but for all users that performed a login in during a
>> specific time.
>>
>> Also, because I have multiple services authenticating against this
>> active directory, how do I tell the difference between a user logging
>> into a workstation and a user logging into webmail (and being
>> authenticated by Active Directory) from outside the organization?
>>
>> --
>> Computerisms
>> Bob Miller
>> 867-334-7117 / 867-633-3760
>> http://computerisms.ca
>>
>>
>> On Thu, 2013-03-07 at 14:38 -0600, Gregory Carter wrote:
>> > Yes.
>> >
>> > Under /var/log/samba in a typical distro you will find the log files for
>> > each IP address/workstation connected to the samba server.
>> >
>> > You could then use egrep to go through the files and look for various
>> > logins.
>> >
>> > A typical example would be:
>> >
>> > egrep -in "gcarter|Mar 5" log*
>> >
>> > The above example looks through all of the log files beginning with
>> > "log" and looks for the samba user name and date associated with the
>> name.
>> >
>> > If you are not capturing that sort of detail, depending on how you have
>> > your smbd process configured, you might be out of luck.
>> >
>> > You can use the same technique on any log file including Email if you
>> > are running a email/smtp/pop server of course for searching information.
>> >
>> > -gc
>> >
>> > On 03/07/2013 02:17 PM, Bob Miller wrote:
>> > > Hello,
>> > >
>> > > Some mischief happened and I have been asked if I can find out who was
>> > > logged into their computers within a specific off-hours time frame.
>>  My
>> > > logs for that time frame happened to be running at debug level 3, so I
>> > > have been looking through them and trying to figure out how to
>> recognize
>> > > a workstation login.  I find lines beginning with
>> > > auth_check_password_send that seem like reasonably good candidates,
>> but
>> > > I have a number of other services such as email authenticating against
>> > > the AD, and it seems that is just as likely to describe a mail log in
>> as
>> > > it is a workstation login.  Is there a way, or some documentation that
>> > > will explain how, to parse the log files and determine which
>> > > workstations were actively in use and by which account?  Or are there
>> > > any tools that will parse the log files and provide me such
>> information?
>> > >
>> >
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>

More information about the samba mailing list