FYI - you may want to add something like 'log file = /tmp/samba/%m.samba.log' to your smb.conf. This way samba will create individual log files for each system.
On Thu, Mar 7, 2013 at 6:32 PM, Thomas Simmons <[email protected]> wrote: > Have you tried something like tail -f log.samba > tmp.log.samba > and immediately logging into workstation to see exactly how it gets logged? > If your server is processing a lot of requests you may have a bunch of > lines to dig through, but I think it would be much easier than a complete > log file. > > > On Thu, Mar 7, 2013 at 6:10 PM, Bob Miller <[email protected]> wrote: > >> Thanks Gregory, >> >> I appreciate your answer, but this isn't quite what I am looking for. >> >> I am using samba4 compiled from source, and I am using daemontools to >> run it, so all the logs are being captured on stdout and dumped into a >> file, but I understand your point about where the logs are and how to >> search them. >> >> What I am looking for might be better described like so: >> >> grep "Mar 5" sambalogfile | grep <string showing a workstation was >> logged into> >> >> Note that I am not looking to see if a specific user logged in during a >> specific time, but for all users that performed a login in during a >> specific time. >> >> Also, because I have multiple services authenticating against this >> active directory, how do I tell the difference between a user logging >> into a workstation and a user logging into webmail (and being >> authenticated by Active Directory) from outside the organization? >> >> -- >> Computerisms >> Bob Miller >> 867-334-7117 / 867-633-3760 >> http://computerisms.ca >> >> >> On Thu, 2013-03-07 at 14:38 -0600, Gregory Carter wrote: >> > Yes. >> > >> > Under /var/log/samba in a typical distro you will find the log files for >> > each IP address/workstation connected to the samba server. >> > >> > You could then use egrep to go through the files and look for various >> > logins. >> > >> > A typical example would be: >> > >> > egrep -in "gcarter|Mar 5" log* >> > >> > The above example looks through all of the log files beginning with >> > "log" and looks for the samba user name and date associated with the >> name. >> > >> > If you are not capturing that sort of detail, depending on how you have >> > your smbd process configured, you might be out of luck. >> > >> > You can use the same technique on any log file including Email if you >> > are running a email/smtp/pop server of course for searching information. >> > >> > -gc >> > >> > On 03/07/2013 02:17 PM, Bob Miller wrote: >> > > Hello, >> > > >> > > Some mischief happened and I have been asked if I can find out who was >> > > logged into their computers within a specific off-hours time frame. >> My >> > > logs for that time frame happened to be running at debug level 3, so I >> > > have been looking through them and trying to figure out how to >> recognize >> > > a workstation login. I find lines beginning with >> > > auth_check_password_send that seem like reasonably good candidates, >> but >> > > I have a number of other services such as email authenticating against >> > > the AD, and it seems that is just as likely to describe a mail log in >> as >> > > it is a workstation login. Is there a way, or some documentation that >> > > will explain how, to parse the log files and determine which >> > > workstations were actively in use and by which account? Or are there >> > > any tools that will parse the log files and provide me such >> information? >> > > >> > >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
