[Samba] Export authentication & authorisation logs to Windows Event Viewer

Anantha Raghava raghav at exzatechconsulting.com
Mon Jan 8 02:52:05 UTC 2018

Hello Andrew,

The appliance can connect, but cannot see the events.

I did attempt the procedure given in the wiki, but could not get the dll 
part going.


Thanks & Regards,

Anantha Raghava

Do not print this e-mail unless required. Save Paper & trees.

On 06/01/18 2:12 PM, Andrew Bartlett wrote:
> On Sat, 2018-01-06 at 14:05 +0530, Anantha Raghava wrote:
>> Hello Andrew,
>> Thanks for quick response.
>> The requirement here is, we are deploying a Smokescreen IllusionBLACK appliance for cyber security(Deception technology, unfortunately this appliance is built on Windows), and Active Directory Decoys are created. A task is created in the appliance that can read the AD evernt viewer and notify on login pass or fail. Attached is the schematic for your information.
>> You can get more details from https://www.smokescreen.io/IllusionBLACK/ and you can also setup your demo.
>> Unfortunately, this cannot read either syslog or JSON format. We even checked, if we, using some script, can write these logs into a text file on a Windows Server, whether it can read, but the answer is a Big NO. It uses the PowerShell to read the Windows Events and notifies when a specific event occurs.
>> For now, older eventlog format is good, not sure about future.
> Very interesting.  Does it connect and just see no events, or does it
> fail to connect?  Have you tried injecting a fake event as directed by
> that wiki page and see if it works?  (It would be a much simpler task
> to extend the audit code if that were the case, or you could even write
> the transformation tool).
> Naturally I'll follow up with them about a demo.
> Thanks,
> Andrew Bartlett

More information about the samba mailing list