[Samba] Export authentication & authorisation logs to Windows Event Viewer

Andrew Bartlett abartlet at samba.org
Sat Jan 6 08:42:09 UTC 2018

On Sat, 2018-01-06 at 14:05 +0530, Anantha Raghava wrote:
> Hello Andrew,
> Thanks for quick response.
> The requirement here is, we are deploying a Smokescreen IllusionBLACK appliance for cyber security(Deception technology, unfortunately this appliance is built on Windows), and Active Directory Decoys are created. A task is created in the appliance that can read the AD evernt viewer and notify on login pass or fail. Attached is the schematic for your information.
> You can get more details from https://www.smokescreen.io/IllusionBLACK/ and you can also setup your demo. 
> Unfortunately, this cannot read either syslog or JSON format. We even checked, if we, using some script, can write these logs into a text file on a Windows Server, whether it can read, but the answer is a Big NO. It uses the PowerShell to read the Windows Events and notifies when a specific event occurs.
> For now, older eventlog format is good, not sure about future.

Very interesting.  Does it connect and just see no events, or does it
fail to connect?  Have you tried injecting a fake event as directed by
that wiki page and see if it works?  (It would be a much simpler task
to extend the audit code if that were the case, or you could even write
the transformation tool). 

Naturally I'll follow up with them about a demo.


Andrew Bartlett
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list