Interpreting JSON Audit Logs

From SambaWiki
Revision as of 03:40, 6 January 2023 by Dbagnall (talk | contribs) (Begin a page describing the meanings of JSON audit log attributes.)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Introduction

With JSON audit logging enabled, details of various events are logged in a regualr way in JSON format. Each event has many attributes, but what do these attributes mean? This page aims to help.


Authentication

Attribute meaning
authDescription the authentication type, for example "guest", "bare-NTLM", "plaintext", "simple bind", "interactive", "network", "ServerAuthenticate".
becameAccount the account name logged in as. This may differ from the account supplied by the client.
becameDomain the domain logged into.
becameSid the SID of the authenticated account.
clientAccount the reported account name from the client.
clientDomain the reported domain name from the client.
duration how long the authentication took (up until this field was written).
eventId a Windows event ID, indicating in broad terms what happened.
localAddress the server address and port used.
logonId a random 64 bit identifier to help trace logon events through different stages.
logonType Windows logon type, for Samba one of
  • 2: Interactive, meaning on this computer
  • 3: Network, over the network
  • 8: NetworkCleartext, using unhash passwords.
mappedAccount the client account name translated to an AD account name.
mappedDomain the client domain translated to an AD domain name.
netlogonComputer the claimed computer name in NETLOGON RPC authentication.
netlogonNegotiateFlags NETLOGON negotiation option flags, documented in MS-NRPC 3.1.4.2.
netlogonSecureChannelType indicates the type of NETLOGON channel used. See MS-NRPC 2.2.1.3.13.
netlogonTrustAccount account used in NETLOGON authentication.
netlogonTrustAccountSid SID belonging to the NETLOGON trust account.
passwordType indicates the password algorithm/protocol (e.g. "HMAC-SHA256", "NTLMv2", "arcfour-hmac-md5").
remoteAddress the claimed address (and port) of the remote client.
serviceDescription indicates the service type, for example "LDAP", "SMB2", "NETLOGON".
status an NT STATUS message, usually "NT_STATUS_OK".
version a version number for the JSON format. It has two parts.
  • major: incremented if fields change meaning
  • minor: incremented if a field is added

a change in possible values does not necessarily trigger a version change. This is obviously true for client data, but also applies to e.g. passwordType, where the set of supported password formats can change over time.

The version documented here has the value {"major": 1, "minor": 2}.

workstation the claimed name of the client workstation.


Authorization

nothing yet here.

dsdbChange

nothing here either.

Retrieved from "https://wiki.samba.org/index.php?title=Interpreting_JSON_Audit_Logs&oldid=18554"