Configuring Rsyslog for Samba-AD
In the following documentation, the transport is configured in TCP mode instead of UDP mode. This is more reliable for transport, but more resource intensive.
Encryption of the connection is not discussed in this documentation.
Note
Samba RPM packages are not compiled with direct rsyslog support. You must then configure rsyslog to monitor Samba logs.
On the host to audit
New in version 4.10.
Add to the file
/etc/samba/smb.conf
:log level = 1 auth_json_audit:3@/var/log/samba/samba_audit.log
Create the file
/etc/rsyslog.d/send_samba.conf
:module(load="imfile" PollingInterval="10") #needs to be done just once input(type="imfile" File="/var/log/samba/samba_audit.log" Tag="samba_auth" Severity="info" Facility="auth") if ($syslogtag == "samba_auth") then { action(type="omfwd" target="143.126.200.167" port="514" protocol="tcp" action.resumeRetryCount="100" queue.type="linkedList" queue.size="10000") }
Relaunch rsyslog
systemctl restart rsyslog
On the host that concentrates the logs
Create the samba log directory if it does not exist yet:
mkdir -p /var/log/samba
Create the configuration file rsyslog
/etc/rsyslog.d/recv_samba.conf
:# Provides TCP syslog reception $ModLoad imtcp $InputTCPServerRun 514 if ($syslogtag == "samba_auth") then /var/log/samba/audit_auth.log
Then restart the rsyslog service:
systemctl restart rsyslog