Configuring Rsyslog for Samba-AD

In the following documentation, the transport is configured in TCP mode instead of UDP mode. This is more reliable for transport, but more resource intensive.

Encryption of the connection is not discussed in this documentation.

Note

Samba RPM packages are not compiled with direct rsyslog support. You must then configure rsyslog to monitor Samba logs.

On the host to audit

New in version 4.10.

  • Add to the file /etc/samba/smb.conf:

    log level = 1 auth_json_audit:3@/var/log/samba/samba_audit.log
    
  • Create the file /etc/rsyslog.d/send_samba.conf:

    module(load="imfile" PollingInterval="10") #needs to be done just once
    
    input(type="imfile"
          File="/var/log/samba/samba_audit.log"
          Tag="samba_auth"
          Severity="info"
          Facility="auth")
    
    if ($syslogtag == "samba_auth") then {
        action(type="omfwd" target="143.126.200.167" port="514" protocol="tcp"
               action.resumeRetryCount="100"
               queue.type="linkedList" queue.size="10000")
    }
    
  • Relaunch rsyslog

    systemctl restart rsyslog
    

On the host that concentrates the logs

  • Create the samba log directory if it does not exist yet:

    mkdir -p /var/log/samba
    
  • Create the configuration file rsyslog /etc/rsyslog.d/recv_samba.conf:

    # Provides TCP syslog reception
    $ModLoad imtcp
    $InputTCPServerRun 514
    
    if ($syslogtag == "samba_auth")  then /var/log/samba/audit_auth.log
    
  • Then restart the rsyslog service:

    systemctl restart rsyslog