[Samba] Internal DNS logging
Giuseppe Cesa Bianchi
gcesab at gmail.com
Fri Jan 19 09:15:46 UTC 2018
Thanks again Denis,
I will follow your tips and sure I'll move to 4.7.4 after I solve this
problem
Giuseppe
On 1/19/2018 10:01 AM, Denis Cardon wrote:
> Hi Giuseppe,
>
>>
>> I was looking for the option 'dns:x' in the wiki but I didn't find it.
>> Now it works.
>>
>> I used
>>
>> log level = 3 auth:3 dns:0
>>
>> auth_audit:3 gives me unknown class message
>
> it must be only available in 4.7. The last increment 4.7.4 is
> production ready (we've got it deployed on dozens of DCs) and has many
> nice improvements over 4.6. You should consider upgrading, at least
> for domain controllers.
>
>> But where I can find a complete list of classes for log level?
>
> you can run any samba-tool command with debug level 9 and it will
> start by listing all the logging classes. For example
>
> # samba-tool fsmo show -d9
> INFO: Current debug levels:
> all: 9
> tdb: 9
> printdrivers: 9
> lanman: 9
> smb: 9
> rpc_parse: 9
> rpc_srv: 9
> rpc_cli: 9
> passdb: 9
> sam: 9
> auth: 9
> winbind: 9
> vfs: 9
> idmap: 9
> quota: 9
> acls: 9
> locking: 9
> msdfs: 9
> dmapi: 9
> registry: 9
> scavenger: 9
> dns: 9
> ldb: 9
> tevent: 9
> auth_audit: 9
> auth_json_audit: 9
> kerberos: 9
> drs_repl: 9
>
>>
>> I'll also give a try on the last version of samba with json.
>
> Json logs are much easier to parse if you need to pipe them into a
> SIEM or similar.
>
> Cheers,
>
> Denis
>
>>
>> Thanks again
>>
>> Giuseppe
>>
>>
>>
>> On 1/18/2018 4:52 PM, Denis Cardon wrote:
>>> Hi Giuseppe,
>>>
>>> please, stay on the list.
>>>
>>> Le 01/18/2018 à 04:32 PM, Giuseppe Cesa Bianchi a écrit :
>>>> Thank you for your reply but users logon are already logged on
>>>> log.samba
>>>> (I think when kerberos authenticate it).
>>>>
>>>> My problem is the hundreds of line written by DNS on log, even at log
>>>> level 1. I'm asking if I can do something to stop it.
>>>
>>> In smb.conf, try:
>>>
>>> log level = 1 auth_audit:3 dns:0
>>>
>>> or in samba 4.7.4
>>> log level = 1 auth_json_audit:3 dns:0
>>>
>>> Denis
>>>
>>>>
>>>> Thanks anyway
>>>>
>>>> Giuseppe
>>>>
>>>>
>>>> On 1/18/2018 3:40 PM, Denis Cardon wrote:
>>>>> Hi Giuseppe,
>>>>>
>>>>>> I have two Samba domain controllers version 4.6.4 on Centos 7.3.
>>>>>>
>>>>>> I need to log every login/logout from windows PCs and I read on the
>>>>>> wiki
>>>>>> that I have to set log level >=3, this works.
>>>>>>
>>>>>> The problem is that my log.samba is filled by internal DNS messages,
>>>>>> most of them about forwarding.
>>>>>>
>>>>>> in my smb.conf:
>>>>>>
>>>>>> log level = 3 auth:10
>>>>>> vfs objects = full_audit
>>>>>>
>>>>>> I googled around but I cannot find anything to avoid this.
>>>>>
>>>>> For login, you should upgrade your server to Samba 4.7.4 and add json
>>>>> auth logging with the auth_json_audit parameter [1].
>>>>>
>>>>> For logout, it won't be really possible to have a definitive
>>>>> information from the AD point of view. But you can probably script
>>>>> something on your desktop and send it back to the server (if the
>>>>> network connection is still up...)
>>>>>
>>>>> Cheers,
>>>>>
>>>>> Denis
>>>>>
>>>>> [1] https://wiki.samba.org/index.php/Setting_up_Audit_Logging
>>>>>
>>>>>
>>>>>>
>>>>>> Please help me!
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
More information about the samba
mailing list