jeff.cleverley at avagotech
Nov 22, 2011, 2:56 PM
Post #3 of 3
Thanks for the information and the modules. I'll look into everything
next week when I get back. I had tried the strings command on the
cifsaudit.alf file but it only gave me IP addresses of the clients.
The only audit setting we had differently was the
cifs.audit.file_access_events.enable. I've turned it off as you
mentioned since it probably won't cause too much trouble. I'll see
what the evt files come up with when they are created.
On Tue, Nov 22, 2011 at 3:00 PM, Steve Losen <scl [at] virginia> wrote:
>> We have a cifs share that gets worked on by various people in the
>> company in different countries and business groups. We have access
>> opened up to users with a valid Windows 2003 Server domain
>> authentication. Since we don't know everyone who will have access to
>> this, we don't have unix accounts for them, or entries in the
>> usermap.cfg file. This share is also nfs accessed and has unix
>> security style.
>> The problem is when we look in the messages files these users seem to
>> show up with their workstation name followed by the $ sign. It's
>> difficult to track who owns the machine and who logged into it. Here
>> is an trimmed example entry:
>> auth.trace.authenticateUser.loginAccepted:info]: AUTH: Login by
>> dwc46q1$ from xx.xx.xx.xx accepted.
>> I'd like a better way to figure out who logged in from dwc46q1$ . The
>> cifs.trace_login is on.
>> Jeff Cleverley
>> Unix Systems Administrator
>> 4380 Ziegler Road
>> Fort Collins, Colorado 80525
>> Toasters mailing list
>> Toasters [at] teaparty
> Hi Jeff,
> We used to use options cifs.trace_login but as you point out,
> it omits a lot of information and often (high load?) login
> events are not logged. (We run a university wide home directory
> service with 60,000 users, so we get a huge number of logins.)
> You might want to do this, which works much better:
> options cifs.audit.enable on
> options cifs.audit.logon_events.enable on
> options cifs.audit.account_mgmt_events.enable off
> options cifs.audit.file_access_events.enable off
> and play with the cifs.audit.autosave options to
> control the rotation of the event log files.
> These options generate files on the filer named
> The filer accumulates audit events in /etc/log/cifsaudit.alf
> (of unknown format) and periodically dumps this to an adtlog.*.evt
> The adtlog.*.evt files are in Windows event log format, which you
> can view on a Windows box. Sounds like you are a Unix guy
> like me. A while back I researched the EVT format and wrote
> a perl module to parse the adtlog.*.evt files.
> The module and script are fairly short, so I have attached them.
> You will need to change this line in dumpevt.pl depending on where
> you put evt.pl
> Usage: dumpevt.pl evtfile ...
> I have attached the perl files with .txt appended to the names to
> avoid email filters.
> Steve Losen scl [at] virginia phone: 434-924-0640
> University of Virginia ITC Unix Support
Unix Systems Administrator
4380 Ziegler Road
Fort Collins, Colorado 80525
Toasters mailing list
Toasters [at] teaparty