Web lists-archives.com

Re: [Samba] Export authentication & authorisation logs to Windows Event Viewer

Hello Andrew,

The appliance can connect, but cannot see the events.

I did attempt the procedure given in the wiki, but could not get the dll part going.


Thanks & Regards,

Anantha Raghava

Do not print this e-mail unless required. Save Paper & trees.

On 06/01/18 2:12 PM, Andrew Bartlett wrote:
On Sat, 2018-01-06 at 14:05 +0530, Anantha Raghava wrote:
Hello Andrew,

Thanks for quick response.

The requirement here is, we are deploying a Smokescreen IllusionBLACK appliance for cyber security(Deception technology, unfortunately this appliance is built on Windows), and Active Directory Decoys are created. A task is created in the appliance that can read the AD evernt viewer and notify on login pass or fail. Attached is the schematic for your information.

You can get more details from https://www.smokescreen.io/IllusionBLACK/ and you can also setup your demo.
Unfortunately, this cannot read either syslog or JSON format. We even checked, if we, using some script, can write these logs into a text file on a Windows Server, whether it can read, but the answer is a Big NO. It uses the PowerShell to read the Windows Events and notifies when a specific event occurs.

For now, older eventlog format is good, not sure about future.
Very interesting.  Does it connect and just see no events, or does it
fail to connect?  Have you tried injecting a fake event as directed by
that wiki page and see if it works?  (It would be a much simpler task
to extend the audit code if that were the case, or you could even write
the transformation tool).

Naturally I'll follow up with them about a demo.


Andrew Bartlett

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba