Samba Log Analysis

Samba Log Analysis

as our file sharing security level improves, more and more cases require logging and auditing. Linuxunder the platformSambathe configuration file for the service issmb.conf, there are a number of graphical configuration tools such asWebmin,Smbconftool,SWATandRedHatprovided bySystem-config-sambaand other tools are available to simplify your configurationsmb.confthe process,but the degree of detail of these tools is not sufficientSamba's needs.

1. The log that Samba provides by default

specifically how to configure Samba does not speak, the following example is used to track the query client through the SMB access to shared resources. The command Netstat–na |grep established represents the TCP connected condition shown in1 .

650) this.width=650; "title=" 1-21.jpg "alt=" wkiol1s_hpdhekodaaselnwqrdc986.jpg "src=" http://s3.51cto.com/wyfs02/ M01/58/e1/wkiol1s_hpdhekodaaselnwqrdc986.jpg "/>

Figure 1 Samba Log Analysis

1 in the penultimate row of the PID 10600 , representing SMBD the process ID number, use " ps-ef |grep 10600 "can be found. At the same time, the samba process startup log is written to /var/log/messages .

In general, all client access logs are placed in a log not only inconvenient query and file easily become very difficult to manage, how do you keep each client's connection information in a separate file? We need to have a little brains on the smb.conf. There is already a line of code in the smb.conf file to achieve this.

Log file =/var/log/samba/%m.log

Remove the front ";" number then, restart SMBD Service, enable the following command if you are concerned that the log is too large

max log size = Maximum log capacity is 500KB

Note : PID What role does it play? the PID number is not always a concern , and sometimes the problem can be found when debugging a fault.

here to explain PID play a role in debugging failures, 2 is shown.

650) this.width=650; "title=" 1-21-2.jpg "alt=" wkiol1s_hulw2zrvaaiyjhyca-0412.jpg "src=" http://s3.51cto.com/wyfs02/ M01/58/e1/wkiol1s_hulw2zrvaaiyjhyca-0412.jpg "/>

Figure 2 Strace Analysis PID

#ps-ef |grep SMB

    The above command is used to findSambaprocess list, based on the identity of the connected user(This isTestusers) can easily guidePIDis a13778is the user's process, and then runs a two-parameterStracecommands are limited to file-related system call output. "- P 13778the parameters tellStraceUse this processIDConnect to the running process. After this command executes, the result output will be longer. You will seeSMBwill keep scanning the directory to see if there is a change, when the user tried the problem of the operation, it will be very detailed information, this information to the user to solve the problem (especially the permissions caused by the problem, such as access to permissions issues such as denial) brought no small help.

2 SambaAudits

If you feel that logging is not detailed, you can also Log level parameter to adjust the logging level, the higher the level, the more verbose the record. Samba uses Log_daemon to divide the log level into ten levels , and the following table 1 lists the common level 4 .

Table 1 Samba Log Level

class Span style= "color: #365f91;" >	don't
log_err	0
log_ WARNING	1
log_notice	2
Log_info	3

Use the Audit module for more details , described below Samba of the Full_audit Module , Here's how:

Add the following code to the global Configuration project

#Audit settings

Full_audit:prefix =%u|%i| S

Full_audit:failure = Connect

full_audit:sucess = Connect Disconnect opendir mkdir rmdir closedir open close Fchmod chown fchown chdir

Full_audit:facility = LOCAL5

full_audit:priority = Notice

%u: represents a user

%I: User IP Address

%s Samba Server share name

also in shared directories such as [public] configuration item, add

VFS Object=full_audit

After modifying the smb.conf Configuration Save exit and then Test the configuration file with Testparm correctness. The following is a sample of the Samba audit log:

#cat 192.168.150.154.log.old |grep Audit

Initialising custom VFS hooks from [Full_audit]

Module '/usr/lib/samba/vfs/full_audit.so ' loaded

[2013/05/05 04:02:06,0] modules/vfs_full audit.c:log_success (689)

below we will record the upgrade log to Mysql database and through Web Publish for querying.

3. Log Samba audit logs with MySQL

toUseMysqldatabase RecordsSamba audit LogLog, and realize the passWEBWays to checkSambaAudit log, we did the following experiments, first inCentos Linux 5.5the system is installed in source code modeSamba, and then toSMBD Auditofficial website: http://smbdaudit.sourceforge.net/DownloadSmb_auditsoftware, the following steps:

1) Download smb_audit-0.3.7

#cd/usr/local/src/

#wget "Http://sourceforge.net/settings/mirror_choices?projectname=smbdaudit&filename=smbdaudit/smb_ AUDIT-0.3.7/SMB_AUDIT-0.3.7.I386.TAR.BZ2 "

#tar JXF smb_audit-0.3.7.i386.tar.bz2

2.) build MySQL Database

cd/usr/local/src/smb_audit-0.3.7

Mysql-u root-p-A MySQL

mysql> CREATE DATABASE smbd;

Mysql> Grant all on smbd.* to ' smbd ' @ ' localhost ' identified by ' smbd001 ';

Mysql> exit

Mysql-p SMBD < Smbd_mysql.sql

3). Recompile mysql_audit.so to samba-3.0.28 Use

#cd/USR/LOCAL/SMB_AUDIT-0.3.7/SRC2

#yum Install Mysql-devel

#mv 3.0.28a 3.0.28a-bak

#ln-S/usr/local/src/samba-3.0.28/source 3.0.28a

#cp 3.0.28a/popt/popt.h 3.0.28a/include/

#make

#cp mysql_audit.so/opt/samba/lib/vfs/

4). Configure smb.conf using mysql_audit

#vi/etc/samba/smb.conf

#vfs Object = Mysql_audit

#service SMB Restart

5). WEB configuration

#cd/var/www/html/

#ln-S/usr/local/src/smb_audit-0.3.7 smb_audit

6). Browser Access Effects http://ip/smb_audit/ , 3 is shown.

650) this.width=650; "title=" 1-21-3.jpg "alt=" wkiom1s_hmurpt_saamx9epo4lc646.jpg "src=" http://s3.51cto.com/wyfs02/ M01/58/e4/wkiom1s_hmurpt_saamx9epo4lc646.jpg "/>

Figure 3 through Web Browse Samba Log

For information on Samba transport security, please refer to the blog: http://chenguang.blog.51cto.com/350944/237380

For more highlights, please see the Unix/linux Blog analysis and traffic monitoring book .

This article from "Lee Chenguang original Technology blog" blog, declined reprint!

Samba Log Analysis