From 5f55944ee546c2449759959805864f090aa9c7bd Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Wed, 21 Dec 2005 16:00:34 +0000 Subject: [PATCH] Eventlog HOWTO - temporary copy, --- docs/Samba-EventLog-HOWTO.txt | 130 ++++++++++++++++++++++++++++++++++ 1 file changed, 130 insertions(+) create mode 100644 docs/Samba-EventLog-HOWTO.txt diff --git a/docs/Samba-EventLog-HOWTO.txt b/docs/Samba-EventLog-HOWTO.txt new file mode 100644 index 00000000000..33b3c1ddc47 --- /dev/null +++ b/docs/Samba-EventLog-HOWTO.txt @@ -0,0 +1,130 @@ +## +## Samba-EventLog-HOWTO.txt +## Brian Moran +## +## Feature Introduced in Samba 3.0.21 +## + +Samba and Eventlogs +=================== + +Samba servers now support event logs -- this means that if +Samba is configured correctly, the usual administration tools +like event viewer will work against a Samba server. + +To minimally configure Samba to publish event logs, the +eventlogs to list must be specified in smb.conf, and +eventlog entries must be written to those eventlogs. + +Optionally, a message file can be registered for each +of the eventlog 'sources' to pretty-print the eventlog +messages in the eventlog viewer. + +Configuring smb.conf +==================== + +To specify the list of eventlogs the eventlog list +command is used. An example which will show four +eventlogs is + + eventlog list = Application System Security SyslogLinux + +When Samba initially starts, it looks to see if the +eventlog directory, and a particular log exists; if not, +the directory and file are created under LOCK_DIR + +Writing EventLog Records +======================== + +The eventlogadm command is used to write records +into a particular eventlog. Eventlogadm expects records +to be on STDIN in the following format + + LEN: 0 + RS1: 1699505740 + RCN: 0 + TMG: 1128631322 + TMW: 1128631322 + EID: 1000 + ETP: INFO + ECT: 0 + RS2: 0 + CRN: 0 + USL: 0 + SRC: cron + SRN: dmlinux + STR: (root) CMD ( rm -f /var/spool/cron/lastrun/cron.hourly) + DAT: + +These fields closely mirror the eventlog structures +used by the APIs. The definitions of the fields are + +- LEN: The length field is calculated by the + eventlogadm program based on the rest of the information + in the record. Zero works well here. +- RS1: 1699505740 A "magic number", the primary purpose of + which seems to be to be able to find eventlog records in a + sea of binary data +- TMG: The time the eventlog record was generated; + format is the number of seconds since 00:00:00 January 1, + 1970, UTC +- TMW: The time the eventlog record was written; + format is the number of seconds since 00:00:00 January 1, + 1970, UTC +- EID: The eventlog ID -- used as a index to a + message string in a message DLSamba and Eventlogs +- ETP: The event type -- one of INFO, ERROR, + WARNING, AUDIT SUCCESS, AUDIT FAILURE +- ECT: The event category; this depends on the + message file -- primarily used as a means of filtering in + the eventlog viewer +- RS2: 0 Another reserved field +- CRN: 0 Yet another reserved field +- USL: Typically would contain the length of the + SID of the user object associated with this event. This is + not supported now, so leave this zero. +- SRC: The source name associated with the event + log, e.g. "cron" or "smbd". If a message file is used with an + event log, there will be a registry entry for associating + this source name with a message file DLL +- SRN: The name of the machine on which the + eventlog was generated. This is typically the host name +- STR: The text associated with the eventlog. Note + that there may be more than one strings in a record +- DAT: Eventlog records can have binary information + associated with them. DAT only supports ASCII strings however + +Typically, one would set up a program to gather events, format +them into records, and pipe them into eventlogadm for a +particular eventlog: + +# tail -f /var/log/messages |\ + my_program_to_parse_into_eventlog_records |\ + eventlogadm SyslogLinux + +Note that individual records are separated on the input by one +or more blank lines. In this manner, eventlogadm will just wait +for more input, writing to the underlying log files as necessary. + + +Deciphering EventLog entries on the Client +========================================== + +To set up an eventlog source (which is used by the eventlog viewer +program to pretty-print eventlog records), create a message file +DLL, then use the eventlogadm program to write the appropriate +eventlog registry entries: + +# eventlogadm -o addsource Application MyApplication \ + %SystemRoot%/system32/MyApplication.dll + +This will add the key +[HKLM/System/CurrentControlSet/services/Eventlog/Application/MyApplication] +and to that key add value "MyApplication/EventLogMessageFile" +with a string of %SystemRoot%/system32/MyApplication.dll + +If there happens to be a share called [C$] on your samba server, +and in that share there's a Windows/system32/MyApplication.dll +file, it will be read by the eventlog viewer application when +displaying eventlog records to pretty-print your eventlog entries. +