[Samba] Internal DNS logging

Giuseppe Cesa Bianchi gcesab at gmail.com
Fri Jan 19 09:15:46 UTC 2018


Thanks again Denis,

I will follow your tips and sure I'll move to 4.7.4 after I solve this 
problem

Giuseppe


On 1/19/2018 10:01 AM, Denis Cardon wrote:
> Hi Giuseppe,
>
>>
>> I was looking for the option 'dns:x' in the wiki but I didn't find it.
>> Now it works.
>>
>> I used
>>
>>    log level = 3 auth:3  dns:0
>>
>> auth_audit:3 gives me unknown class message
>
> it must be only available in 4.7. The last increment 4.7.4 is 
> production ready (we've got it deployed on dozens of DCs) and has many 
> nice improvements over 4.6. You should consider upgrading, at least 
> for domain controllers.
>
>> But where I can find a complete list of classes for log level?
>
> you can run any samba-tool command with debug level 9 and it will 
> start by listing all the logging classes. For example
>
> # samba-tool fsmo show -d9
> INFO: Current debug levels:
>   all: 9
>   tdb: 9
>   printdrivers: 9
>   lanman: 9
>   smb: 9
>   rpc_parse: 9
>   rpc_srv: 9
>   rpc_cli: 9
>   passdb: 9
>   sam: 9
>   auth: 9
>   winbind: 9
>   vfs: 9
>   idmap: 9
>   quota: 9
>   acls: 9
>   locking: 9
>   msdfs: 9
>   dmapi: 9
>   registry: 9
>   scavenger: 9
>   dns: 9
>   ldb: 9
>   tevent: 9
>   auth_audit: 9
>   auth_json_audit: 9
>   kerberos: 9
>   drs_repl: 9
>
>>
>> I'll also give a try on the last version of samba with json.
>
> Json logs are much easier to parse if you need to pipe them into a 
> SIEM or similar.
>
> Cheers,
>
> Denis
>
>>
>> Thanks again
>>
>> Giuseppe
>>
>>
>>
>> On 1/18/2018 4:52 PM, Denis Cardon wrote:
>>> Hi Giuseppe,
>>>
>>> please, stay on the list.
>>>
>>> Le 01/18/2018 à 04:32 PM, Giuseppe Cesa Bianchi a écrit :
>>>> Thank you for your reply but users logon are already logged on 
>>>> log.samba
>>>> (I think when kerberos authenticate it).
>>>>
>>>> My problem is the hundreds of line written by DNS on log, even at log
>>>> level 1. I'm asking if I can do something to stop it.
>>>
>>> In smb.conf, try:
>>>
>>>    log level = 1 auth_audit:3  dns:0
>>>
>>> or in samba 4.7.4
>>>    log level = 1 auth_json_audit:3 dns:0
>>>
>>> Denis
>>>
>>>>
>>>> Thanks anyway
>>>>
>>>> Giuseppe
>>>>
>>>>
>>>> On 1/18/2018 3:40 PM, Denis Cardon wrote:
>>>>> Hi Giuseppe,
>>>>>
>>>>>> I have two Samba domain controllers version 4.6.4 on Centos 7.3.
>>>>>>
>>>>>> I need to log every login/logout from windows PCs and I read on the
>>>>>> wiki
>>>>>> that I have to set log level >=3, this works.
>>>>>>
>>>>>> The problem is that my log.samba is filled by internal DNS messages,
>>>>>> most of them about forwarding.
>>>>>>
>>>>>> in my smb.conf:
>>>>>>
>>>>>>         log level = 3 auth:10
>>>>>>         vfs objects = full_audit
>>>>>>
>>>>>> I googled around but I cannot find anything to avoid this.
>>>>>
>>>>> For login, you should upgrade your server to Samba 4.7.4 and add json
>>>>> auth logging with the auth_json_audit parameter [1].
>>>>>
>>>>> For logout, it won't be really possible to have a definitive
>>>>> information from the AD point of view. But you can probably script
>>>>> something on your desktop and send it back to the server (if the
>>>>> network connection is still up...)
>>>>>
>>>>> Cheers,
>>>>>
>>>>> Denis
>>>>>
>>>>> [1] https://wiki.samba.org/index.php/Setting_up_Audit_Logging
>>>>>
>>>>>
>>>>>>
>>>>>> Please help me!
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>




More information about the samba mailing list