Setting up Audit Logging
Introduction
Samba 4.7 and later supports logging of authentication and authorization events. This enables administrators to log, for example, successful and failed log ins.
An audit event is logged on the Samba server the event was performed on. For example, in an multi-domain controller (DC) environment, an authentication request is logged only on the DC the request was sent to. To store all logs on a centralized server, set up a centralized syslog server, configure Samba to log to the syslog daemon, and configure the syslog daemon to send the logs to the centralized server. For details, see:
- the
logging
,syslog
, andsyslog only
parameter descriptions in thesmb.conf(5)
man page - the documentation of your syslog daemon
Logging Formats
Standard Log Format
Audit logging using the standard log format is automatically supported in Samba and does not require additional libraries.
The following example displays a log entry of an successful user authentication on a Samba DC using the standard log format:
[2017/07/04 21:07:41.410381, 4, pid=21757] ../auth/auth_log.c:848(log_successful_authz_event_human_readable) Successful AuthZ: [SMB2,krb5] user [SAMDOM]\[Administrator] [S-1-5-21-469703510-2364959079-1506205053-500] at [Di, 04 Jul 2017 21:07:41.410364 CEST] Remote host [ipv4:10.99.0.81:58828] local host [ipv4:10.99.0.1:445]
Logging in JSON Format
If the jansson
library was installed on the system where you build Samba, JSON support is automatically built into Samba.
The following example displays a log entry of an successful user authentication on a Samba DC using the JSON format:
[2017/07/04 21:07:41.410434, 4, pid=21757] ../auth/auth_log.c:220(log_json) JSON Authorization: {"type": "Authorization", "timestamp": "2017-07-04T21:07:41.410408+0200", "Authorization": {"version": {"major": 1, "minor": 0}, "sid": "S-1-5-21-469703510-2364959079-1506205053-500", "serviceDescription": "SMB2", "localAddress": "ipv4:10.99.0.1:445", "remoteAddress": "ipv4:10.99.0.81:58828", "transportProtection": "SMB", "authType": "krb5", "domain": "SAMDOM", "account": "Administrator", "logonServer": "DC1", "accountFlags": "0x00000210"}}
Verifying if JSON Support is Enabled in Samba
To verify if Samba has been build with JSON support, enter:
# smbd -b | grep HAVE_JSON_OBJECT HAVE_JSON_OBJECT
If no output is displayed, Samba was compiled without JSON support. To build Samba with JSON support, install the jansson
header files and rebuild Samba. For details, see:
Enabling Audit Logging
Depending on the log level, Samba logs different events. However, to limit the amount of log entries, you can only increase the log level for the audit-related debug classes. For details, see Setting Individual Log Levels for Debug Classes.
You can use the following debug classes to control the audit log level independently from the default log level:
auth_audit
: Standard log formatauth_json_audit
JSON format. This feature requires built-in JSON support in Samba. See Verifying if JSON Support is Enabled in Samba.
To set the default log level to 1
and enabling the highest audit log level (anonymous authentication and authorization success logging):
- Set in the
[global]
section in thesmb.conf
file:
log level = 1 auth_audit:5 auth_json_audit:5
- For further details, see the
log level
parameter description in thesmb.conf (5)
man page.
- For further details, see the
- Restart Samba.