Have you tried something like tail -f log.samba > tmp.log.samba and immediately logging into workstation to see exactly how it gets logged? If your server is processing a lot of requests you may have a bunch of lines to dig through, but I think it would be much easier than a complete log file.
On Thu, Mar 7, 2013 at 6:10 PM, Bob Miller <[email protected]> wrote: > Thanks Gregory, > > I appreciate your answer, but this isn't quite what I am looking for. > > I am using samba4 compiled from source, and I am using daemontools to > run it, so all the logs are being captured on stdout and dumped into a > file, but I understand your point about where the logs are and how to > search them. > > What I am looking for might be better described like so: > > grep "Mar 5" sambalogfile | grep <string showing a workstation was > logged into> > > Note that I am not looking to see if a specific user logged in during a > specific time, but for all users that performed a login in during a > specific time. > > Also, because I have multiple services authenticating against this > active directory, how do I tell the difference between a user logging > into a workstation and a user logging into webmail (and being > authenticated by Active Directory) from outside the organization? > > -- > Computerisms > Bob Miller > 867-334-7117 / 867-633-3760 > http://computerisms.ca > > > On Thu, 2013-03-07 at 14:38 -0600, Gregory Carter wrote: > > Yes. > > > > Under /var/log/samba in a typical distro you will find the log files for > > each IP address/workstation connected to the samba server. > > > > You could then use egrep to go through the files and look for various > > logins. > > > > A typical example would be: > > > > egrep -in "gcarter|Mar 5" log* > > > > The above example looks through all of the log files beginning with > > "log" and looks for the samba user name and date associated with the > name. > > > > If you are not capturing that sort of detail, depending on how you have > > your smbd process configured, you might be out of luck. > > > > You can use the same technique on any log file including Email if you > > are running a email/smtp/pop server of course for searching information. > > > > -gc > > > > On 03/07/2013 02:17 PM, Bob Miller wrote: > > > Hello, > > > > > > Some mischief happened and I have been asked if I can find out who was > > > logged into their computers within a specific off-hours time frame. My > > > logs for that time frame happened to be running at debug level 3, so I > > > have been looking through them and trying to figure out how to > recognize > > > a workstation login. I find lines beginning with > > > auth_check_password_send that seem like reasonably good candidates, but > > > I have a number of other services such as email authenticating against > > > the AD, and it seems that is just as likely to describe a mail log in > as > > > it is a workstation login. Is there a way, or some documentation that > > > will explain how, to parse the log files and determine which > > > workstations were actively in use and by which account? Or are there > > > any tools that will parse the log files and provide me such > information? > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
