Export authentication & authorisation logs to Windows Event Viewer

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Export authentication & authorisation logs to Windows Event Viewer

Samba - General mailing list
Hi,

Can we export the samba audit logs (Authentication & Authorisation Logs)
to Windows Event Viewer?

I am trying to export the authentication & authorisation logs to a
Windows Server to be shown in Windows Event Viewer. I read the link -
https://wiki.samba.org/index.php/Event_Logging. But couldn't follow much.

Can someone throw more light on the procedure, if it is possible?

--

Thanks & Regards,


Anantha Raghava


Do not print this e-mail unless required. Save Paper & trees.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Export authentication & authorisation logs to Windows Event Viewer

Samba - General mailing list
On Sat, 2018-01-06 at 12:21 +0530, Anantha Raghava via samba wrote:

> Hi,
>
> Can we export the samba audit logs (Authentication & Authorisation Logs)
> to Windows Event Viewer?
>
> I am trying to export the authentication & authorisation logs to a
> Windows Server to be shown in Windows Event Viewer. I read the link -
> https://wiki.samba.org/index.php/Event_Logging. But couldn't follow much.
>
> Can someone throw more light on the procedure, if it is possible?

Sadly not at this time.  I actually have a client task pending to look
into this better, but for now if you want to use the modern event
viewer it looks like quite a large protocol built on binary XML.  

The older eventlog protocol is still around, and it might be easier to
fill in that database.  Can you clarify if you would be wanting
eventlog or eventlog6 support?  While I don't wish to give false hopes,
it would be really helpful for the 'scoping study' I've been asked to
do if I knew better what users need here.

Additionally, I understand there are some security appliances etc that
use event log to get audit information from AD for security purposes.
If you or anyone else on the list uses one of these and can tell me a
little about them (names, versions, ideally get me a network trace of
it in action or where I can get a demo) that would also be really
helpful.

Thanks,

Andrew Bartlett

--
>
> Thanks & Regards,
>
>
> Anantha Raghava
>
>
> Do not print this e-mail unless required. Save Paper & trees.
>
--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Export authentication & authorisation logs to Windows Event Viewer

Samba - General mailing list
On Sat, 2018-01-06 at 14:05 +0530, Anantha Raghava wrote:

> Hello Andrew,
>
> Thanks for quick response.
>
> The requirement here is, we are deploying a Smokescreen IllusionBLACK appliance for cyber security(Deception technology, unfortunately this appliance is built on Windows), and Active Directory Decoys are created. A task is created in the appliance that can read the AD evernt viewer and notify on login pass or fail. Attached is the schematic for your information.
>
> You can get more details from https://www.smokescreen.io/IllusionBLACK/ and you can also setup your demo.
> Unfortunately, this cannot read either syslog or JSON format. We even checked, if we, using some script, can write these logs into a text file on a Windows Server, whether it can read, but the answer is a Big NO. It uses the PowerShell to read the Windows Events and notifies when a specific event occurs.
>
> For now, older eventlog format is good, not sure about future.

Very interesting.  Does it connect and just see no events, or does it
fail to connect?  Have you tried injecting a fake event as directed by
that wiki page and see if it works?  (It would be a much simpler task
to extend the audit code if that were the case, or you could even write
the transformation tool).

Naturally I'll follow up with them about a demo.

Thanks,

Andrew Bartlett
--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Export authentication & authorisation logs to Windows Event Viewer

Samba - General mailing list
Hello Andrew,

The appliance can connect, but cannot see the events.

I did attempt the procedure given in the wiki, but could not get the dll
part going.

--

Thanks & Regards,


Anantha Raghava


Do not print this e-mail unless required. Save Paper & trees.

On 06/01/18 2:12 PM, Andrew Bartlett wrote:

> On Sat, 2018-01-06 at 14:05 +0530, Anantha Raghava wrote:
>> Hello Andrew,
>>
>> Thanks for quick response.
>>
>> The requirement here is, we are deploying a Smokescreen IllusionBLACK appliance for cyber security(Deception technology, unfortunately this appliance is built on Windows), and Active Directory Decoys are created. A task is created in the appliance that can read the AD evernt viewer and notify on login pass or fail. Attached is the schematic for your information.
>>
>> You can get more details from https://www.smokescreen.io/IllusionBLACK/ and you can also setup your demo.
>> Unfortunately, this cannot read either syslog or JSON format. We even checked, if we, using some script, can write these logs into a text file on a Windows Server, whether it can read, but the answer is a Big NO. It uses the PowerShell to read the Windows Events and notifies when a specific event occurs.
>>
>> For now, older eventlog format is good, not sure about future.
> Very interesting.  Does it connect and just see no events, or does it
> fail to connect?  Have you tried injecting a fake event as directed by
> that wiki page and see if it works?  (It would be a much simpler task
> to extend the audit code if that were the case, or you could even write
> the transformation tool).
>
> Naturally I'll follow up with them about a demo.
>
> Thanks,
>
> Andrew Bartlett

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba