Interpreting JSON Audit Logs

From SambaWiki
Revision as of 23:14, 13 January 2023 by Dbagnall (talk | contribs) (→‎Introduction: note about example formatting)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Introduction

With JSON audit logging enabled, details of various events are logged in a regular way in JSON format. Each event has many attributes, but what do these attributes mean? This page aims to help.

The outermost layer has three elements: a timestamp, a type, and a data object that is indexed by the named type. 

{
  "type": one of "Authentication", "Authorization", "dsdbChange",
          "dsdbTransaction", "passwordChange", "replicatedUpdate",
          "groupChange",
  "timestamp": 2023-01-12T22:50:50.000000+00:00,
  type: { data }
}

the type indicates which table you should look in below to understand the data.

Note that this example (and others below) has been reformatted over several lines for clarity. The JSON emitted by audit logging will always be formatted on a single line.

common fields

Attribute meaning
version a version number for the JSON format. It has two parts.
  • major: incremented if fields change meaning
  • minor: incremented if a field is added

A change in possible values does not usually trigger a version change. This is obviously true for client supplied data, but also applies to e.g. passwordType, where the set of supported password formats can change over time without changing the JSON version.

Authentication

Note: Some attributes will still be present when they are inapplicable. For example, if not using NETLOGON (per "serviceDescription"), "netlogonComputer" will be set to "null", "netlogonNegotiateFlags" will be "0x00000000", and other netlogon fields will have similarly empty values.

Regarding the client-, mapped-, and became- account and domain attributes, these follow track the process of the identity claim through various layers. The client has given the client values, which might get converted to different mapped values. If the authentication is successful, the became- attributes pertain to the account we actually ended up with. Do not be surprised if these are often very similar.


Attribute meaning
authDescription the authentication type, including:
  • "simple bind/TLS", "simple bind": LDAP simple bind, with or without a TLS channel.
  • "guest": anonymous SMB1 request
  • "bare-NTLM": SMB using NT1 protocol
  • "plaintext": SMB1 plain text
  • "interactive": as if physically at a workstation
  • "network": challenge/response authentication over the network
  • "Unknown Auth Description", "Unknown Pre-authentication": KDC events
  • "ServerAuthenticate": machine challenge/response logon using NETLOGON
  • "LDAP Modify": this is a password change, not strictly an authentication event, but logged here so you don't miss it.
becameAccount the account name logged in as. This may differ from the account supplied by the client.
becameDomain the domain logged into.
becameSid the SID of the authenticated account.
clientAccount the reported account name from the client.
clientDomain the reported domain name from the client.
duration how long the authentication took in microseconds (up until this field was written).
eventId a Windows event ID, indicating in broad terms what happened.
localAddress the server address and port used.
logonId a random 64 bit identifier to help trace logon events through different stages.
logonType Windows logon type, for Samba one of
  • 2: Interactive, meaning on this computer
  • 3: Network, over the network
  • 8: NetworkCleartext, using unhashed passwords.
mappedAccount the client account name translated to an AD account name.
mappedDomain the client domain translated to an AD domain name.
netlogonComputer the claimed computer name in NETLOGON RPC authentication.
netlogonNegotiateFlags NETLOGON negotiation option flags, documented in MS-NRPC 3.1.4.2.
netlogonSecureChannelType indicates the type of NETLOGON channel used. See MS-NRPC 2.2.1.3.13.
netlogonTrustAccount account used in NETLOGON authentication.
netlogonTrustAccountSid SID belonging to the NETLOGON trust account.
passwordType indicates the password algorithm/protocol (e.g. "HMAC-SHA256", "NTLMv2", "arcfour-hmac-md5").
remoteAddress the claimed address (and port) of the remote client.
serviceDescription indicates the service type, for example "LDAP", "SMB2", "NETLOGON".
status an NT STATUS message. For a successful authentication this will be "NT_STATUS_OK". Unsuccessful authentications may have "NT_STATUS_OK" here if the authentication fails after this message is logged, but usually will have an error code. There are many possible errors, but fewer probable ones. Not all authentication types can produce all codes. Some are:
  • NT_STATUS_ACCESS_DENIED: access denied for unspecified reasons, but probably due to bad credentials.
  • NT_STATUS_WRONG_PASSWORD: wrong password.
  • NT_STATUS_NO_SUCH_USER: no such user.
  • NT_STATUS_NO_SUCH_DOMAIN: domain seems wrong.
  • NT_STATUS_ACCOUNT_RESTRICTION: the account is protected or otherwise restricted.
  • NT_STATUS_DOWNGRADE_DETECTED: client is possibly doing something duplicitous to use bad authentication methods.
  • NT_STATUS_INVALID_SERVER_STATE: the server thinks it is being used in the wrong way.
  • NT_STATUS_INVALID_INFO_CLASS: the server thinks it is being used in the wrong way.
  • NT_STATUS_INVALID_PARAMETER: client got something wrong.
  • NT_STATUS_NETWORK_CREDENTIAL_CONFLICT: something changed midway; maybe there is a race in credentials changes or bad crypto was negotiated.
  • NT_STATUS_NOT_IMPLEMENTED: Samba doesn't know this authentication type.
  • NT_STATUS_NOT_SUPPORTED: Samba doesn't like this authentication type, or it doesn't like the way the client is using it.
  • NT_STATUS_INVALID_SYSTEM_SERVICE: the authentication service selected is not available.
  • NT_STATUS_INTERNAL_ERROR: the server can't complete the authentication and blames itself.
  • NT_STATUS_NO_MEMORY: the server can't complete the authentication and claims there is insufficient memory.
version see the introduction for an explanation.

The version documented here has the value {"major": 1, "minor": 2}.

workstation the claimed name of the client workstation.


Authorization

This applies to successful authorization events.

Attribute meaning
account the account name being authorized.
accountFlags a bitfield of account attributes as described in MS-SAMR and elsewhere.
authType a string describing the authorization type (e.g. "krb5", "NTLMSSP", "simple bind").
domain the domain.
localAddress the server address and port used.
logonServer the server authenticated to.
remoteAddress the apparent client address.
serviceDescription indicates the service type, for example "LDAP", "SMB2", "DCE/RPC".
sessionId a GUID identifying the session.
sid the SID of the authorized account.
transportProtection the type of protection on the channel (e.g. "SMB", "TLS", "SEAL", "NONE").
type "Authorization"
version see the introduction for an explanation.

The version documented here has the value {"major": 1, "minor": 1}.

dsdbChange

These log when a client triggers a significant change in the Active Directory Database (known, sometimes, as DSDB internally in Samba). Some specific changes, namely password, group changes, and replication changes are logged separately, as "passwordChange", "groupChange", and "replicatedUpdate" events.

Attribute meaning
attributes see the section below.
dn the DN of the object being changed.
operation the equivalent ldap operation ("Modify", "Add", "Delete")
performedAsSystem true is Samba is acting upon itself using the system account; false

if acting on behalf of some user.

remoteAddress apparent address of the user that triggered the operation
sessionId a GUID identifying the authentication session.
status A string indicating whether the change succeeded, and if not, why. These relate to LDAP result codes, which are also given as in the statusCode attribute.

Some possible strings are:

  • "Success"
  • "Operations error"
  • "Protocol error"
  • "Time limit exceeded"
  • "Size limit exceeded"
  • "Unsupported critical extension"
  • "No such attribute"
  • "Undefined attribute type"
  • "Constraint violation"
  • "Attribute or value exists"
  • "Invalid attribute syntax"
  • "No such object"
  • "Alias problem"
  • "Invalid DN syntax"
  • "insufficient access rights"
  • "Unwilling to perform"
  • "Naming violation"
  • "Object class violation"
  • "Not allowed on non-leaf"
  • "Not allowed on RDN"
  • "Entry already exists"
a number directly relating to the status string These are generally equivalent to LDAP result codes as defined in RFC4511.
transactionId if this change is part of a transaction, this GUID identifies it.
userSid SID of the user that triggered the operation.
version see the introduction for an explanation.

The version documented here has the value {"major": 1, "minor": 0}.

dsdbChange attributes

This lists the attributes being changed. You can consider the entries as equivalent to LDIF stanzas. For example, the following JSON 

"dsdbChange": {
  "operation": "Modify",
  "dn": "@SAMBA_DSDB",
  "attributes": {
   "backupDate": {"actions": [
     {"action": "add",
      "values": [
        {"value": "2023-01-14T09-43-55.333333"}
       ]
     }
   ]
  }}}

would describe the change performed by this LDIF: 

dn: @SAMBA_DSDB
changetype: modify
add: backupDate
backupDate: 2023-01-14T09-43-55.333333

Secret attributes are redacted, and there will be a redacted: true tag rather than any values.

If a value is very long (> 1024 bytes), it will be truncated at that point, with "..." appended, and a truncated flag. You'll just have to imagine the text in this example is 1024 bytes long: 

      "values": [
         {"value": "It was the best of times, it was the worst of times, it was the age...",
          truncated: true
         }
       ]


Attribute meaning
action an LDAP Modify action: add, replace, or delete.
redacted this type of value is too secret to log.
values a list of values to perform the action on.

Each value is in a separate object with a value or base64 key (which is used depends on whether the value contains non-printable characters).

values[].value the value data, possibly truncated and/or base64 encoded.
values[].base64 only present and true if the data is base64 encoded.
values[].truncated only present and true if the data has been truncated, which happens if it was more than 1024 bytes long..

dsdbTransaction

A transaction ties a number of database operations together; either they all happen atomically, or none of them happen. If all the operations in a transaction succeed, it is committed, and the changes are permanent, but if one fails the preceding operations that temporarily succeeded need to be rolled back, even though they may have already been logged as dsdbChange events.

Each transaction has an identifying GUID; other DSDB operations that are part of the transaction will include this GUID in the "transactionId" attribute.

Attribute meaning
action one of "begin", "commit", "rollback".
duration the duration of the transaction in microseconds (up until this field was written).
transactionId a GUID identifying this transaction.
version see the introduction for an explanation.

The version documented here has the value {"major": 1, "minor": 0}.

passwordChange

This is a special kind of dsdbChange.

Attribute meaning
action "Change" or "Reset".
dn the DN of the user whose password is changed.
eventId a Windows event ID, indicating in broad terms what happened.
  • 4723 means "change",
  • 4724 means "reset".
remoteAddress the apparent remote address of the user making this change.
sessionId identifies the DSDB session.
status An ldap-like error name, as per dsdbChange
statusCode An ldap-like error code, as per dsdbChange
transactionId the GUID of this transaction if any.
userSid the SID of the user making the change, not necessarily the user whose password is changed.
version {"major": 1, "minor": 1}


groupChange

This indicates a DSDB change that adds or removes a user from a group.

Attribute meaning
action "Removed", "Added", or "PrimaryGroup"

PrimaryGroup means the PrimaryGroup has changed.

eventId a Windows event ID, indicating what happened. The following are possible:
  • 4728 user added to global security group
  • 4729 user removed from global security group
  • 4732 user added to local security group
  • 4733 user removed from local security group
  • 4746 user added to local group
  • 4747 user removed from local group
  • 4751 user added to global group
  • 4752 user removed from global group
  • 4756 user added to universal security group
  • 4757 user removed from universal security group
  • 4761 user added to universal group
  • 4762 user removed from universal group
group The DN of the group in question
remoteAddress the apparent remote address of the user making this change.
sessionId identifies the DSDB session.
status A string indicating whether the change succeeded, and if not, why.

A partial list of status strings is given in the dsdbChange section.

a number directly relating to the status string These are generally equivalent to LDAP result codes as defined in RFC4511.
transactionId the GUID of this transaction if any.
user the DN of the user whose group memberships are changing
userSid SID of thew user *making the change*
version {"major": 1, "minor": 1}



replicatedUpdate

Retrieved from "https://wiki.samba.org/index.php?title=Interpreting_JSON_Audit_Logs&oldid=18571"