Configuring Rsyslog for Samba-AD

In the following documentation, the transport is configured in TCP mode instead of UDP mode. This is more reliable for transport, but more resource intensive.

Encryption of the connection is not discussed in this documentation.

Note

Samba RPM packages are not compiled with direct rsyslog support. You must then configure rsyslog to monitor Samba logs.

On the host to audit

New in version 4.10.

• Add to the file /etc/samba/smb.conf:

  log level = 1 auth_json_audit:3@/var/log/samba/samba_audit.log
  

• Create the file /etc/rsyslog.d/send_samba.conf:

  module(load="imfile" PollingInterval="10") #needs to be done just once
  
  input(type="imfile"
        File="/var/log/samba/samba_audit.log"
        Tag="samba_auth"
        Severity="info"
        Facility="auth")
  
  if ($syslogtag == "samba_auth") then {
      action(type="omfwd" target="143.126.200.167" port="514" protocol="tcp"
             action.resumeRetryCount="100"
             queue.type="linkedList" queue.size="10000")
  }
  

• Relaunch rsyslog

  systemctl restart rsyslog
  

On the host that concentrates the logs

• Create the samba log directory if it does not exist yet:

  mkdir -p /var/log/samba
  

• Create the configuration file rsyslog /etc/rsyslog.d/recv_samba.conf:

  # Provides TCP syslog reception
  $ModLoad imtcp
  $InputTCPServerRun 514
  
  if ($syslogtag == "samba_auth")  then /var/log/samba/audit_auth.log
  

• Then restart the rsyslog service:

  systemctl restart rsyslog