Samba Audit Logs to Centralise log servers

[Deepak Singh]

Dear Members,

I am using freenas 11 and successfully configured the full Samba audit and getting the logs as well, we are running graylog server for centralise log monitoring.

I have configured the remote logging configuration in syslog and freenas is sending the logs to our graylog server apart from samba audit logs.

i.e. Everything is logged apart from samba audit logs.

Please see the below screenshot for freenas config page.

Below is my syslog-ng configuration for samba audit logs.

destination m_samba_audit { file("/mnt/ie/logs/smb/smb.log"); };
log { source(src); filter(f_local5); destination(m_samba_audit); flags(final); $
destination loghost { udp("192.168.3.42" port(5514) localport(514)); };
log { source(src); filter(f_info); destination(loghost); };

Please let me know what is wrong here, as we want samba logs also to be stored in graylog server.

 

[anodos]

Dear Members,

I am using freenas 11 and successfully configured the full Samba audit and getting the logs as well, we are running graylog server for centralise log monitoring.

I have configured the remote logging configuration in syslog and freenas is sending the logs to our graylog server apart from samba audit logs.

i.e. Everything is logged apart from samba audit logs.

Please see the below screenshot for freenas config page.

View attachment 33028

Below is my syslog-ng configuration for samba audit logs.



Please let me know what is wrong here, as we want samba logs also to be stored in graylog server.

There is a "use syslog only" checkbox in Services->SMB. And you should probably use full_audit rather than audit for this purpose (specifying the exact Samba VFS operations to monitor).

 

[Deepak Singh]

There is a "use syslog only" checkbox in Services->SMB. And you should probably use full_audit rather than audit for this purpose (specifying the exact Samba VFS operations to monitor).

Hi Anodos,

Thanks for the response the option "use syslog only" gives me the result of log authentication failure which is not again helping me, what I want is to log mkdir, rmdir, unlink, rename to be logged if any users changes it.

In my samba configuration Aux Parameter I have added the following lines

full_audit:prefix = %u|%I|%m|%S
full_audit:failure = connect
full_audit:success = mkdir rename unlink rmdir
full_audit:facility = LOCAL5
full_audit:priority = NOTICE

at syslog-ng I added the following line.

destination m_samba_audit { file("/mnt/ie/logs/smb/smb.log"); };
log { source(src); filter(f_local5); destination(m_samba_audit); flags(final);

So I am getting all logs at /mnt/ie/logs/smb/smb.log, as I said we have graylog central logging system In Freenas General config page I have defined the server IP and port but it is not sending the samba audit logs to graylog server.

I will be glad if you can point that what is wrong in the configuration due to that I am not able to achieve this.

Regards

 

[anodos]

Take off the facility line.

 

[anodos]

You will also need to fully restart the SMB server after this change.

 

[Deepak Singh]

Thanks for the help anodos but it seems it was nothing to do with the facility line or anything else.

In my syslog configuration I had mentioned "flags(final);" flag which means it will write the logs in single location only so I just simply removed that line and it worked, such a silly mistake.

Anyway thanks for your help.

Please close this post and marked it solved.

Regards