.. Reminder for header structure:        
  Parts (H1)          : #################### with overline
  Chapters (H2)       : ******************** with overline
  Sections (H3)       : ====================
  Subsections (H4)    : --------------------
  Subsubsections (H5) : ^^^^^^^^^^^^^^^^^^^^
  Paragraphs (H6)     : """""""""""""""""""""

.. |date| date::

.. meta::
  :description: Configuring Rsyslog for Samba-AD
  :keywords: Security, Samba-AD, documentation, rsyslog, audit

.. _samba_configure_rsyslog:

################################
Configuring Rsyslog for Samba-AD
################################

In the following documentation, the transport is configured in :abbr:`TCP (Transmission Control Protocol)` mode instead of :abbr:`UDP (User Datagram Protocol)` mode.
This is more reliable for transport, but more resource intensive.

Encryption of the connection is not discussed in this documentation.

.. note::

  Samba :abbr:`RPM (Red Hat Package Manager)` packages are not compiled with direct rsyslog support.
  You must then configure rsyslog to *monitor* Samba logs.

********************
On the host to audit
********************

.. versionadded:: 4.10

* Add to the file :file:`/etc/samba/smb.conf`:

  .. code-block:: ini

    log level = 1 auth_json_audit:3@/var/log/samba/samba_audit.log

* Create the file :file:`/etc/rsyslog.d/send_samba.conf`:

  .. code-block:: ini
  
    module(load="imfile" PollingInterval="10") #needs to be done just once

    input(type="imfile"
          File="/var/log/samba/samba_audit.log"
          Tag="samba_auth"
          Severity="info"
          Facility="auth")

    if ($syslogtag == "samba_auth") then {
        action(type="omfwd" target="143.126.200.167" port="514" protocol="tcp"
               action.resumeRetryCount="100"
               queue.type="linkedList" queue.size="10000")
    }

* Relaunch rsyslog

  .. code-block:: bash

    systemctl restart rsyslog

**************************************
On the host that concentrates the logs
**************************************

* Create the samba log directory if it does not exist yet:

  .. code-block:: bash

    mkdir -p /var/log/samba

* Create the configuration file rsyslog :file:`/etc/rsyslog.d/recv_samba.conf`:

  .. code-block:: ini

    # Provides TCP syslog reception
    $ModLoad imtcp
    $InputTCPServerRun 514

    if ($syslogtag == "samba_auth")  then /var/log/samba/audit_auth.log

* Then restart the rsyslog service:

  .. code-block:: bash

    systemctl restart rsyslog