Setting up Audit Logging

From SambaWiki

Introduction

Samba 4.7 and later supports logging of authentication and authorization events, and Samba 4.9 supported logging of AD DC database changes. This enables you to log, for example, failed authentication requests or password resets.

Audit logging is a local setting and you must enable this feature on each Samba server individually. Events are logged on the Samba server the event was performed on. To store all logs on a centralized server, set up a centralized syslog server, configure Samba to log to the syslog daemon, and configure the syslog daemon to send the logs to the centralized server. For details, see:

  • The logging, syslog, and syslog only parameter descriptions in the smb.conf(5) man page
  • The documentation of your syslog daemon

Additionally, you can use utilities, such as Fail2Ban, to monitor the log files and disable a user account on successive failed log ins. For details about setting these utilities, see their corresponding documentation.


The Difference Between Authentication and Authorization

Authentication
Authentication happens when Samba verifies a user name and password combination.
Authorization
Authorization happens when the session starts. For example, when opening a distributed computing environment / remote procedure calls (DCE/RPC) pipe, returning from a session setup on server message block (SMB) protocol, or finishing the simple authentication and security layer (SASL) bind on LDAP.


Authentication and Authorization Examples

The following examples explain when Samba logs authentication and when authorization events. Note that this is not a complete list.

  • The Kerberos key distribution center (KDC) on an Active Directory (AD) domain controller (DC) logs an authentication event when a user logs into the domain.
In an multi-domain controller (DC) environment, an authentication request is only logged on the DC the request was sent to.
  • If you connect to a share on a domain member:
  • The domain member logs an authorization event.
  • The KDC on the Samba DC logs an authentication event when using Kerberos authentication.
When using Kerberos authentication, the KDC is responsible for authentication. Therefore, Samba on an AD domain member can not log the authentication event.
  • The domain member logs an authentication event when using NT LAN Manager (NTLM) authentication.

Logging Formats

The audit log feature supports the standard and JSON format. You can enable each format individually or both together using the different log debug classes.


Standard Log Format

Audit logging using the standard log format is automatically supported in Samba and does not require additional libraries.

The following example displays a log entry of an successful user authentication on a Samba DC using the standard log format:

[2017/07/04 21:07:41.410381,  4, pid=21757] ../auth/auth_log.c:848(log_successful_authz_event_human_readable)
  Successful AuthZ: [SMB2,krb5] user [SAMDOM]\[Administrator] [S-1-5-21-469703510-2364959079-1506205053-500] at [Di, 04 Jul 2017 21:07:41.410364 CEST] Remote host [ipv4:10.99.0.81:58828] local host [ipv4:10.99.0.1:445]


Logging in JSON Format

If the jansson library was installed on the system where you build Samba, JSON support is automatically built into Samba.

The following example displays a log entry of an successful user authentication on a Samba DC using the JSON format:

[2017/07/04 21:07:41.410434,  4, pid=21757] ../auth/auth_log.c:220(log_json)
  {"type": "Authorization", "timestamp": "2017-07-04T21:07:41.410408+0200", "Authorization": {"version": {"major": 1, "minor": 0}, "sid": "S-1-5-21-469703510-2364959079-1506205053-500", "serviceDescription": "SMB2", "localAddress": "ipv4:10.99.0.1:445", "remoteAddress": "ipv4:10.99.0.81:58828", "transportProtection": "SMB", "authType": "krb5", "domain": "SAMDOM", "account": "Administrator", "logonServer": "DC1", "accountFlags": "0x00000210"}}


Verifying if JSON Support is Enabled in Samba

To verify if Samba has been build with JSON support, enter:

# smbd -b | grep HAVE_JSON_OBJECT
HAVE_JSON_OBJECT

If no output is displayed, Samba was compiled without JSON support. To build Samba with JSON support, install the jansson header files and rebuild Samba. For details, see:

Interpreting JSON audit logs

See Interpreting JSON Audit Logs.

The Audit Logging Debug Classes

Depending on the log level, Samba logs different events. However, to limit the amount of log entries, you can only increase the log level for the audit-related debug classes. For details, see Setting Individual Log Levels for Debug Classes.

You can use the following debug classes to control the audit log level independently from the default log level:



Enabling Authentication Audit Logging

To set the default log level to 1 and enabling logging of failed and successful authentication requests (3):

  • Set in the [global] section in the smb.conf file:
log level = 1 auth_audit:3 auth_json_audit:3
For further details, see the log level parameter description in the smb.conf (5) man page.
  • Restart Samba.


Enabling AD DC Database Audit Logging

To set the default log level to 1 and enabling logging of database changes as JSON:

  • Set in the [global] section in the smb.conf file:
log level = 1 dsdb_json_audit:5 dsdb_password_json_audit:5 dsdb_group_json_audit:5 dsdb_transaction_json_audit:5
For further details, see the log level parameter description in the smb.conf (5) man page.
  • Restart Samba.