Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change in rsyslog log entry - No alerts for SMB service in opencanary console #226

Closed
greycel opened this issue Dec 17, 2022 · 2 comments
Closed

Change in rsyslog log entry - No alerts for SMB service in opencanary console #226

greycel opened this issue Dec 17, 2022 · 2 comments
Assignees
@jayjb
Labels
bug Samba-issue

Comments

@greycel
Copy link

greycel commented Dec 17, 2022

I've deployed opencanary service docker image on Rocky Linux v8, as per the documentation configured SAMBA, RSyslog service and was able to get the logs into "/var/log/samba-audit.log" but couldn't see the alerts in opencanary debug console.

Upon further analysis and troubleshooting, observed that log entries generated by "RSYSLOG v8.2102.0-10.el8" in
"/var/log/samba-audit.log" were slightly different than what I've seen in other smb related issues,

Sample log entries:

Dec 17 16:09:28 rocky smbd_audit[37113]: user1|192.168.15.105|192.168.15.111|sys1|itshare|SRD1|SMB3_11|OSX|2022/12/17 16:09:28|SRV01|pread_send|ok|/samba/share/testing.txt
Dec 17 16:09:28 rocky smbd_audit[37113]: user1|192.168.15.105|192.168.15.111|sys1|itshare|SRD1|SMB3_11|OSX|2022/12/17 16:09:28|SRV01|pread_recv|ok|/samba/share/testing.txt
Dec 17 16:10:27 rocky smbd_audit[37790]: user1|192.168.15.105|192.168.15.111|sys1|itshare|SRD1|SMB3_11|OSX|2022/12/17 16:10:27|SRV01|pread_send|ok|/samba/share/testing.txt
Dec 17 16:10:27 rocky smbd_audit[37790]: user1|192.168.15.105|192.168.15.111|sys1|itshare|SRD1|SMB3_11|OSX|2022/12/17 16:10:27|SRV01|pread_recv|ok|/samba/share/testing.txt

Log entries have some random ID appended to "smbd_audit". In this case, "smbd_audit[37113]:" makes the regular expression in the "samba.py" module file fail.

As a workaround, I've made the below changes to the "samba.py" module file:

Changed From: audit_re = re.compile(r'^.*smbd_audit:.*$')
Changed to: audit_re = re.compile(r'^.*smbd_audit\[\d{2,}\]:.*$')

Changed From: data = line.split('smbd_audit:',1)[-1].strip().split('|')
Changed to: data = line.split(']:',1)[-1].strip().split('|')

There could be a better approach, but this worked for me.
@jayjb jayjb self-assigned this Aug 7, 2023
@jayjb
Copy link
Contributor

jayjb commented Aug 7, 2023

Hi @greycel,

Thanks for writing in. That workaround looks like a good way to go. We have actually noticed that the log reading code is quite fragile because it breaks if the logging changes for newer Samba versions (its something we need to figure out going forward).

If you want to create a PR, we would be happy to look through it and try figure a better way of handling these kinds of issues.

@jayjb jayjb added the bug label Aug 8, 2023
This was referenced Aug 18, 2023
Closed
Merged
@jayjb
Copy link
Contributor

jayjb commented Aug 21, 2023

Hi @greycel,

I have made some improvements to the samba log line handling. Thanks for reporting this (and for supplying helpful information). I'm closing this issue since it has been resolved.

@jayjb jayjb closed this as completed Aug 21, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jayjb jayjb

Labels
bug Samba-issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@greycel @jayjb