Interpreting JSON Audit Logs
Introduction
With JSON audit logging enabled, details of various events are logged in a regular way in JSON format. Each event has many attributes, but what do these attributes mean? This page aims to help.
The outermost layer has three elements: a timestamp, a type, and a data object that is indexed by the named type.
{ "type": one of "Authentication", "Authorization", "dsdbChange", "dsdbTransaction", "passwordChange", "replicatedUpdate", "groupChange", "timestamp": 2023-01-12T22:50:50.000000+00:00, type: { data } }
the type indicates which table you should look in below to understand the data.
Note that this example (and others below) has been reformatted over several lines for clarity. The JSON emitted by audit logging will always be formatted on a single line.
common fields
Attribute | meaning |
---|---|
version | a version number for the JSON format. It has two parts.
A change in possible values does not usually trigger a version change. This is obviously true for client supplied data, but also applies to e.g. passwordType, where the set of supported password formats can change over time without changing the JSON version. |
Authentication
Note: Some attributes will still be present when they are inapplicable. For example, if not using NETLOGON (per "serviceDescription"), "netlogonComputer" will be set to "null", "netlogonNegotiateFlags" will be "0x00000000", and other netlogon fields will have similarly empty values.
Regarding the client-, mapped-, and became- account and domain attributes, these follow track the process of the identity claim through various layers. The client has given the client values, which might get converted to different mapped values. If the authentication is successful, the became- attributes pertain to the account we actually ended up with. Do not be surprised if these are often very similar.
Attribute | meaning |
---|---|
authDescription | the authentication type, including:
|
becameAccount | the account name logged in as. This may differ from the account supplied by the client. |
becameDomain | the domain logged into. |
becameSid | the SID of the authenticated account. |
clientAccount | the reported account name from the client. |
clientDomain | the reported domain name from the client. |
duration | how long the authentication took in microseconds (up until this field was written). |
eventId | a Windows event ID, indicating in broad terms what happened. |
localAddress | the server address and port used. |
logonId | a random 64 bit identifier to help trace logon events through different stages. |
logonType | Windows logon type, for Samba one of
|
mappedAccount | the client account name translated to an AD account name. |
mappedDomain | the client domain translated to an AD domain name. |
netlogonComputer | the claimed computer name in NETLOGON RPC authentication. |
netlogonNegotiateFlags | NETLOGON negotiation option flags, documented in MS-NRPC 3.1.4.2. |
netlogonSecureChannelType | indicates the type of NETLOGON channel used. See MS-NRPC 2.2.1.3.13. |
netlogonTrustAccount | account used in NETLOGON authentication. |
netlogonTrustAccountSid | SID belonging to the NETLOGON trust account. |
passwordType | indicates the password algorithm/protocol (e.g. "HMAC-SHA256", "NTLMv2", "arcfour-hmac-md5"). |
remoteAddress | the claimed address (and port) of the remote client. |
serviceDescription | indicates the service type, for example "LDAP", "SMB2", "NETLOGON". |
status | an NT STATUS message. For a successful authentication this will be "NT_STATUS_OK". Unsuccessful authentications may have "NT_STATUS_OK" here if the authentication fails after this message is logged, but usually will have an error code. There are many possible errors, but fewer probable ones. Not all authentication types can produce all codes. Some are:
|
version | see the introduction for an explanation.
The version documented here has the value |
workstation | the claimed name of the client workstation. |
Authorization
This applies to successful authorization events.
Attribute | meaning |
---|---|
account | the account name being authorized. |
accountFlags | a bitfield of account attributes as described in MS-SAMR and elsewhere. |
authType | a string describing the authorization type (e.g. "krb5", "NTLMSSP", "simple bind"). |
domain | the domain. |
localAddress | the server address and port used. |
logonServer | the server authenticated to. |
remoteAddress | the apparent client address. |
serviceDescription | indicates the service type, for example "LDAP", "SMB2", "DCE/RPC". |
sessionId | a GUID identifying the session. |
sid | the SID of the authorized account. |
transportProtection | the type of protection on the channel (e.g. "SMB", "TLS", "SEAL", "NONE"). |
type | "Authorization" |
version | see the introduction for an explanation.
The version documented here has the value |
dsdbChange
These log when a client triggers a significant change in the Active Directory Database (known, sometimes, as DSDB internally in Samba). Some specific changes, namely password, group changes, and replication changes are logged separately, as "passwordChange", "groupChange", and "replicatedUpdate" events.
Attribute | meaning |
---|---|
attributes | see the section below. |
dn | the DN of the object being changed. |
operation | the equivalent ldap operation ("Modify", "Add", "Delete") |
performedAsSystem | true is Samba is acting upon itself using the system account; false
if acting on behalf of some user. |
remoteAddress | apparent address of the user that triggered the operation |
sessionId | a GUID identifying the authentication session. |
status | A string indicating whether the change succeeded, and if not, why. These relate to LDAP result codes, which are also given as in the statusCode attribute.
Some possible strings are:
|
a number directly relating to the status string | These are generally equivalent to LDAP result codes as defined in RFC4511. |
transactionId | if this change is part of a transaction, this GUID identifies it. |
userSid | SID of the user that triggered the operation. |
version | see the introduction for an explanation.
The version documented here has the value |
dsdbChange attributes
This lists the attributes being changed. You can consider the entries as equivalent to LDIF stanzas. For example, the following JSON
"dsdbChange": { "operation": "Modify", "dn": "@SAMBA_DSDB", "attributes": { "backupDate": {"actions": [ {"action": "add", "values": [ {"value": "2023-01-14T09-43-55.333333"} ] } ] }}}
would describe the change performed by this LDIF:
dn: @SAMBA_DSDB changetype: modify add: backupDate backupDate: 2023-01-14T09-43-55.333333
Secret attributes are redacted, and there will be a redacted: true
tag rather than any values.
If a value is very long (> 1024 bytes), it will be truncated at that
point, with "..." appended, and a truncated
flag. You'll
just have to imagine the text in this example is 1024 bytes long:
"values": [ {"value": "It was the best of times, it was the worst of times, it was the age...", truncated: true } ]
Attribute | meaning |
---|---|
action | an LDAP Modify action: add, replace, or delete. |
redacted | this type of value is too secret to log. |
values | a list of values to perform the action on.
Each value is in a separate object with a value or base64 key (which is used depends on whether the value contains non-printable characters). |
values[].value | the value data, possibly truncated and/or base64 encoded. |
values[].base64 | only present and true if the data is base64 encoded. |
values[].truncated | only present and true if the data has been truncated, which happens if it was more than 1024 bytes long.. |
dsdbTransaction
A transaction ties a number of database operations together; either they all happen atomically, or none of them happen. If all the operations in a transaction succeed, it is committed, and the changes are permanent, but if one fails the preceding operations that temporarily succeeded need to be rolled back, even though they may have already been logged as dsdbChange events.
Each transaction has an identifying GUID; other DSDB operations that are part of the transaction will include this GUID in the "transactionId" attribute.
Attribute | meaning |
---|---|
action | one of "begin", "commit", "rollback". |
duration | the duration of the transaction in microseconds (up until this field was written). |
transactionId | a GUID identifying this transaction. |
version | see the introduction for an explanation.
The version documented here has the value |
passwordChange
This is a special kind of dsdbChange.
Attribute | meaning |
---|---|
action | "Change" or "Reset". |
dn | the DN of the user whose password is changed. |
eventId | a Windows event ID, indicating in broad terms what happened.
|
remoteAddress | the apparent remote address of the user making this change. |
sessionId | identifies the DSDB session. |
status | An ldap-like error name, as per dsdbChange |
statusCode | An ldap-like error code, as per dsdbChange |
transactionId | the GUID of this transaction if any. |
userSid | the SID of the user making the change, not necessarily the user whose password is changed. |
version | {"major": 1, "minor": 1}
|
groupChange
This indicates a DSDB change that adds or removes a user from a group.
Attribute | meaning |
---|---|
action | "Removed", "Added", or "PrimaryGroup"
PrimaryGroup means the PrimaryGroup has changed. |
eventId | a Windows event ID, indicating what happened. The following are possible:
|
group | The DN of the group in question |
remoteAddress | the apparent remote address of the user making this change. |
sessionId | identifies the DSDB session. |
status | A string indicating whether the change succeeded, and if not, why.
A partial list of status strings is given in the dsdbChange section. |
a number directly relating to the status string | These are generally equivalent to LDAP result codes as defined in RFC4511. |
transactionId | the GUID of this transaction if any. |
user | the DN of the user whose group memberships are changing |
userSid | SID of thew user *making the change* |
version | {"major": 1, "minor": 1}
|