You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I've deployed opencanary service docker image on Rocky Linux v8, as per the documentation configured SAMBA, RSyslog service and was able to get the logs into "/var/log/samba-audit.log" but couldn't see the alerts in opencanary debug console.
Upon further analysis and troubleshooting, observed that log entries generated by "RSYSLOG v8.2102.0-10.el8" in
"/var/log/samba-audit.log" were slightly different than what I've seen in other smb related issues,
Sample log entries:
Dec 17 16:09:28 rocky smbd_audit[37113]: user1|192.168.15.105|192.168.15.111|sys1|itshare|SRD1|SMB3_11|OSX|2022/12/17 16:09:28|SRV01|pread_send|ok|/samba/share/testing.txt
Dec 17 16:09:28 rocky smbd_audit[37113]: user1|192.168.15.105|192.168.15.111|sys1|itshare|SRD1|SMB3_11|OSX|2022/12/17 16:09:28|SRV01|pread_recv|ok|/samba/share/testing.txt
Dec 17 16:10:27 rocky smbd_audit[37790]: user1|192.168.15.105|192.168.15.111|sys1|itshare|SRD1|SMB3_11|OSX|2022/12/17 16:10:27|SRV01|pread_send|ok|/samba/share/testing.txt
Dec 17 16:10:27 rocky smbd_audit[37790]: user1|192.168.15.105|192.168.15.111|sys1|itshare|SRD1|SMB3_11|OSX|2022/12/17 16:10:27|SRV01|pread_recv|ok|/samba/share/testing.txt
Log entries have some random ID appended to "smbd_audit". In this case, "smbd_audit[37113]:" makes the regular expression in the "samba.py" module file fail.
As a workaround, I've made the below changes to the "samba.py" module file:
Changed From: audit_re = re.compile(r'^.*smbd_audit:.*$')
Changed to: audit_re = re.compile(r'^.*smbd_audit\[\d{2,}\]:.*$')
Changed From: data = line.split('smbd_audit:',1)[-1].strip().split('|')
Changed to: data = line.split(']:',1)[-1].strip().split('|')
There could be a better approach, but this worked for me.
The text was updated successfully, but these errors were encountered:
Thanks for writing in. That workaround looks like a good way to go. We have actually noticed that the log reading code is quite fragile because it breaks if the logging changes for newer Samba versions (its something we need to figure out going forward).
If you want to create a PR, we would be happy to look through it and try figure a better way of handling these kinds of issues.
I have made some improvements to the samba log line handling. Thanks for reporting this (and for supplying helpful information). I'm closing this issue since it has been resolved.
I've deployed opencanary service docker image on Rocky Linux v8, as per the documentation configured SAMBA, RSyslog service and was able to get the logs into "/var/log/samba-audit.log" but couldn't see the alerts in opencanary debug console.
Upon further analysis and troubleshooting, observed that log entries generated by "RSYSLOG v8.2102.0-10.el8" in
"/var/log/samba-audit.log" were slightly different than what I've seen in other smb related issues,
Sample log entries:
Log entries have some random ID appended to "smbd_audit". In this case, "smbd_audit[37113]:" makes the regular expression in the "samba.py" module file fail.
As a workaround, I've made the below changes to the "samba.py" module file:
There could be a better approach, but this worked for me.
The text was updated successfully, but these errors were encountered: