[Samba] eventlog functionality

Andrew Bartlett abartlet at samba.org
Tue Sep 11 01:02:32 UTC 2018


On Mon, 2018-09-10 at 21:26 +0000, ray klassen via samba wrote:
> we have recently purchased a security appliance that wants to poll
> the DC's for login info (ipaddress:logged-in-user) to give more
> granular access to internet resources
> this seems possible with samba 4.8.4
> 
> my smb.conf
> 
>     log level = 1 auth_audit:3
>     eventlog list = Application System Security SyslogLinux
> 
> 
> It doesn't look like audit events are ending up in
> /usr/local/samba/var/locks/eventlog/security.tdb
> which where they might go.
> I certainly am seeing lots of login audit info in log.samba, so
> that's working. 

Currently this isn't connected up.  And even if it were, a recent study
of similar appliances showed that they were not using the old NT4
eventlog, but WMI over DCOM to access the logs, both of which we don't
support.

https://wiki.samba.org/index.php/Event_Logging#Future_Support_for_third_party_clients

If you can work out which protocol your particular appliance is
connecting to AD with (you might need to try against windows and watch
with wireshark), we can at least tell you on a scale of 'hard, very
hard, extremely hard' it would be to add.

Sorry,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba






More information about the samba mailing list