Web lists-archives.com

Re: [Samba] Internal DNS logging




Hi Giuseppe,


I was looking for the option 'dns:x' in the wiki but I didn't find it.
Now it works.

I used

   log level = 3 auth:3  dns:0

auth_audit:3 gives me unknown class message

it must be only available in 4.7. The last increment 4.7.4 is production ready (we've got it deployed on dozens of DCs) and has many nice improvements over 4.6. You should consider upgrading, at least for domain controllers.

But where I can find a complete list of classes for log level?

you can run any samba-tool command with debug level 9 and it will start by listing all the logging classes. For example

# samba-tool fsmo show -d9
INFO: Current debug levels:
  all: 9
  tdb: 9
  printdrivers: 9
  lanman: 9
  smb: 9
  rpc_parse: 9
  rpc_srv: 9
  rpc_cli: 9
  passdb: 9
  sam: 9
  auth: 9
  winbind: 9
  vfs: 9
  idmap: 9
  quota: 9
  acls: 9
  locking: 9
  msdfs: 9
  dmapi: 9
  registry: 9
  scavenger: 9
  dns: 9
  ldb: 9
  tevent: 9
  auth_audit: 9
  auth_json_audit: 9
  kerberos: 9
  drs_repl: 9


I'll also give a try on the last version of samba with json.

Json logs are much easier to parse if you need to pipe them into a SIEM or similar.

Cheers,

Denis


Thanks again

Giuseppe



On 1/18/2018 4:52 PM, Denis Cardon wrote:
Hi Giuseppe,

please, stay on the list.

Le 01/18/2018 à 04:32 PM, Giuseppe Cesa Bianchi a écrit :
Thank you for your reply but users logon are already logged on log.samba
(I think when kerberos authenticate it).

My problem is the hundreds of line written by DNS on log, even at log
level 1. I'm asking if I can do something to stop it.

In smb.conf, try:

   log level = 1 auth_audit:3  dns:0

or in samba 4.7.4
   log level = 1 auth_json_audit:3 dns:0

Denis


Thanks anyway

Giuseppe


On 1/18/2018 3:40 PM, Denis Cardon wrote:
Hi Giuseppe,

I have two Samba domain controllers version 4.6.4 on Centos 7.3.

I need to log every login/logout from windows PCs and I read on the
wiki
that I have to set log level >=3, this works.

The problem is that my log.samba is filled by internal DNS messages,
most of them about forwarding.

in my smb.conf:

        log level = 3 auth:10
        vfs objects = full_audit

I googled around but I cannot find anything to avoid this.

For login, you should upgrade your server to Samba 4.7.4 and add json
auth logging with the auth_json_audit parameter [1].

For logout, it won't be really possible to have a definitive
information from the AD point of view. But you can probably script
something on your desktop and send it back to the server (if the
network connection is still up...)

Cheers,

Denis

[1] https://wiki.samba.org/index.php/Setting_up_Audit_Logging



Please help me!

Thanks







--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba