Samba Log Analysis

Samba Log Analysis

As the security level of file sharing increases, logs need to be recorded and audited in more and more cases. The configuration file of the Samba service in Linux is smb. conf. Many graphical configuration tools, such as Webmin, smbconftool, SWAT, and system-config-samba provided by RedHat, can simplify smb configuration for you. conf process, but these tools are not accurate enough to meet samba's needs. We have to understand the log structure of samba if there is no ready-made tool for how to analyze samba logs.

1. SambaDefault log

 

We will not talk about how to configure samba. The following instance is used to track and query the client's access to shared resources through SMB. Run the netstat-na | grep ESTABLISHED command to display TCP connection status, as shown in 1.

The PID 10600 in the penultimate line of 1 represents the ID of the smbd process, which can be viewed by "ps-ef | grep 10600. At the same time, the system will

The samba process startup log is written to/var/log/messages.

 

Generally, all client access logs are stored in one log, which is inconvenient to query and the files are easy to manage. How can we store the connection information of each client in a separate file? We need to use our brains on smb. conf. A line of code already exists in the smb. conf file.

Log file =/var/log/samba/% m. log

Remove the previous ";" and restart the smbd service. Enable the following command if you are worried that the log is too large.

Max log size = 500 the maximum log capacity is KB

Note:

: What role does PID play? Generally, you do not pay attention to the PID Number. Sometimes you can find problems when debugging faults.

 

Here, PID plays a role in debugging faults, as shown in figure 2.

# Ps-ef | grep smb

The preceding command is used to search for the samba process list. Based on the connected user identity (this is the test user), you can easily guide that PID is the process of the user by 13778, then, run the strace command with two parameters to limit the file-related system call output. The-p 13778 parameter tells strace to use this process ID to connect to the running process. After this command is executed, the result output will be relatively long. You will see that smb will constantly scan directories to see if there are any changes. When you try a problematic operation, it will be very detailed, this information helps users solve problems (especially permission issues, such as Access denied.

 

2 Samba Audit

If you think the log record is not detailed, you can adjust the log record level through the log level parameter. The higher the level, the more detailed the record. Samba uses LOG_DAEMON

The log level is divided into 10 levels. Table 1 lists commonly used 4 levels.

 

Table 1 Samba Log Level

ClassType	LevelOther
LOG_ERR	0
LOG_WARNING	1
LOG_NOTICE	2
LOG_INFO	3

Use the audit module to obtain more details. The full_audit module of samba is described as follows:

Add the following code to the global configuration project:

#Audit settingsfull_audit:prefix = %u|%I|sfull_audit:failure = connectfull_audit:sucess = connect disconnect opendir mkdir rmdir closedir open close fchmod chown fchown chdirfull_audit:facility = local5full_audit:priority = notice

% U: indicates the user

% I: user IP Address

% S Samba server Share Name

Add

 

Vfs object = full_audit

 

After modifying the smb. conf configuration, save and exit, use testparm to test the correctness of the configuration file. The following is a sample samba audit log:

#cat 192.168.150.154.log.old |grep auditInitialising custom vfs hooks from [full_audit]Module ‘/usr/lib/samba/vfs/full_audit.so’ loaded[2013/05/05 04:02:06,0] modules/vfs_full audit.c:log_success(689)

Next we will record the Update log to the Mysql database and publish it through the web for query.

 

3. Use Mysql to record Samba audit logs

ToUsing the Mysql database to record samba audit logs and viewing Samba audit logs through the WEB, we conducted the following experiment. First, we installed Samba in the source code mode in Centos Linux 5.5, then go to the official SMBD Audit Website: http://smbdaudit.sourceforge.net/download the smb_auditsoftware, which is as follows:

 

1)Download smb_audit-0.3.7

#cd /usr/local/src/#wget "http://sourceforge.net/settings/mirror_choices?projectname=smbdaudit&filename=smbdaudit/smb_audit-0.3.7/smb_audit-0.3.7.i386.tar.bz2"#tar jxf smb_audit-0.3.7.i386.tar.bz2

2 .)Create MySQLDatabase

cd /usr/local/src/smb_audit-0.3.7mysql -u root -p -A mysqlmysql> create database smbd;mysql> grant all on smbd.* to 'smbd'@'localhost' identified by 'smbd001';mysql> exitmysql -p smbd < smbd_mysql.sql

3 ).Recompile mysql_audit.soTo samba-3.0.28Use

#cd /usr/local/smb_audit-0.3.7/src2#yum install mysql-devel#mv 3.0.28a 3.0.28a-bak#ln -s /usr/local/src/samba-3.0.28/source 3.0.28a#cp 3.0.28a/popt/popt.h 3.0.28a/include/#make#cp mysql_audit.so /opt/samba/lib/vfs/

4 ).Configure smb. confUse mysql_audit

#vi /etc/samba/smb.conf#vfs object = mysql_audit#service smb restart

5). WEBConfiguration

#cd /var/www/html/#ln -s /usr/local/src/smb_audit-0.3.7 smb_audit

6). browser access effect http: // ip/smb_audit/, as shown in 3.