Setting up Audit Logging

From SambaWiki
Revision as of 17:44, 16 July 2017 by Mmuehlfeld (talk | contribs) (New documentation: Setting up Audit Logging (Samba 4.7 and later))
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Introduction

Samba 4.7 and later supports logging of authentication and authorization events. This enables administrators to log, for example, successful and failed log ins.

An audit event is logged on the Samba server the event was performed on. For example, in an multi-domain controller (DC) environment, an authentication request is logged only on the DC the request was sent to. To store all logs on a centralized server, set up a centralized syslog server, configure Samba to log to the syslog daemon, and configure the syslog daemon to send the logs to the centralized server. For details, see:

  • the logging, syslog, and syslog only parameter descriptions in the smb.conf(5) man page
  • the documentation of your syslog daemon



Logging Formats

Standard Log Format

Audit logging using the standard log format is automatically supported in Samba and does not require additional libraries.

The following example displays a log entry of an successful user authentication on a Samba DC using the standard log format:

[2017/07/04 21:07:41.410381,  4, pid=21757] ../auth/auth_log.c:848(log_successful_authz_event_human_readable)
  Successful AuthZ: [SMB2,krb5] user [SAMDOM]\[Administrator] [S-1-5-21-469703510-2364959079-1506205053-500] at [Di, 04 Jul 2017 21:07:41.410364 CEST] Remote host [ipv4:10.99.0.81:58828] local host [ipv4:10.99.0.1:445]


Logging in JSON Format

If the jansson library was installed on the system where you build Samba, JSON support is automatically built into Samba.

The following example displays a log entry of an successful user authentication on a Samba DC using the JSON format:

[2017/07/04 21:07:41.410434,  4, pid=21757] ../auth/auth_log.c:220(log_json)
  JSON Authorization: {"type": "Authorization", "timestamp": "2017-07-04T21:07:41.410408+0200", "Authorization": {"version": {"major": 1, "minor": 0}, "sid": "S-1-5-21-469703510-2364959079-1506205053-500", "serviceDescription": "SMB2", "localAddress": "ipv4:10.99.0.1:445", "remoteAddress": "ipv4:10.99.0.81:58828", "transportProtection": "SMB", "authType": "krb5", "domain": "SAMDOM", "account": "Administrator", "logonServer": "DC1", "accountFlags": "0x00000210"}}


Verifying if JSON Support is Enabled in Samba

To verify if Samba has been build with JSON support, enter:

# smbd -b | grep HAVE_JSON_OBJECT
HAVE_JSON_OBJECT

If no output is displayed, Samba was compiled without JSON support. To build Samba with JSON support, install the jansson header files and rebuild Samba. For details, see:



Enabling Audit Logging

Depending on the log level, Samba logs different events. However, to limit the amount of log entries, you can only increase the log level for the audit-related debug classes. For details, see Setting Individual Log Levels for Debug Classes.

You can use the following debug classes to control the audit log level independently from the default log level:

To set the default log level to 1 and enabling the highest audit log level (anonymous authentication and authorization success logging):

  • Set in the [global] section in the smb.conf file:
log level = 1 auth_audit:5 auth_json_audit:5
  • For further details, see the log level parameter description in the smb.conf (5) man page.
  • Restart Samba.