Hello,
Some mischief happened and I have been asked if I can find out who was
logged into their computers within a specific off-hours time frame. My
logs for that time frame happened to be running at debug level 3, so I
have been looking through them and trying to figure out how to recognize
a
Yes.
Under /var/log/samba in a typical distro you will find the log files for
each IP address/workstation connected to the samba server.
You could then use egrep to go through the files and look for various
logins.
A typical example would be:
egrep -in gcarter|Mar 5 log*
The above
Thanks Gregory,
I appreciate your answer, but this isn't quite what I am looking for.
I am using samba4 compiled from source, and I am using daemontools to
run it, so all the logs are being captured on stdout and dumped into a
file, but I understand your point about where the logs are and how to
Have you tried something like tail -f log.samba tmp.log.samba
and immediately logging into workstation to see exactly how it gets logged?
If your server is processing a lot of requests you may have a bunch of
lines to dig through, but I think it would be much easier than a complete
log file.
On
FYI - you may want to add something like 'log file =
/tmp/samba/%m.samba.log' to your smb.conf. This way samba will create
individual log files for each system.
On Thu, Mar 7, 2013 at 6:32 PM, Thomas Simmons twsn...@gmail.com wrote:
Have you tried something like tail -f log.samba tmp.log.samba
Pardon me for butting in, and probably you've already considered this,
but what the heck.
Do you even know that the user actually logged in during the time in
question? I suppose the logs will at least let you know *if* anyone
did login, but if the trouble-maker used an already logged in station
Good point.
One further, since we are on the discussion.
Whatever, mischief you say happened, requires for something to have been
changed on the samba server if you have the audit trail turned on for
your shares.
If you haven't done that already, I suggest you turn on the share
auditing
Am Freitag, 8. März 2013, 02:25:56 schrieb Gregory Carter:
Good point.
One further, since we are on the discussion.
Whatever, mischief you say happened, requires for something to have been
changed on the samba server if you have the audit trail turned on for
your shares.
If you haven't
The share auditing is an excellent point. I was not actually aware that
those existed, so thank you for bringing this to my attention, and yes I
will be setting that up. But they are not applicable in this case.
The reason to establish if someone logged into the network is to
determine who
If I may make a suggestion.
If you are worried about presence, use Biometrics.
Logins for office wouldn't work for example if there is a VPN, which
will not prove presence.
Biometrics though can prove identity and presence to a higher degree of
precision.
Video is nice to have, but too
10 matches
Mail list logo