Samba Setup send logs to json-tcp logger about opencanary HOT 6 CLOSED

I'll respond to my own issue here before i close it out .

the issue was i was using ubuntu trusty, the %D of the sample smb.conf file was causing the smb audit log to not have all the required fields. I made my config to be %d (yes i know its not the field we are looking for but...) now it works correctly. the log parsing code in modules/samba.py is now correctly reading the smb-audit.log file and putting that into the opencanary log. which then sends to the json-tcp logger i had set up.

from opencanary.

I am running opencanary on a Raspberry Pi (RASPBIAN STRETCH LITE) and I have followed the instructions to get everything setup, including the special SMB settings. Everything is working and I am getting alerts for all my services expect Samba. I am thinking I am running into the same issue as @carnal0wnage. Any help someone can offer would be much appreciated.

Attached are my config files in case i am missing something.

Thank you in advanced.

opencanary.conf.txt
smb.conf.txt

from opencanary.

It's been awhile but IIRC i started adding the logging variables one at a time until i found the one that was breaking things.

here is what i had for my config

[global]
workgroup = WORKGROUP
server string = Windows 2003 File Server
netbios name = FILESRV01
dns proxy = no
log file = /var/log/samba/samba-audit.log
log level = 2
syslog only = no
syslog = 0
vfs object = full_audit
full_audit:prefix = %U|%I|%i|%m|%S|%L|%R|%a|%T|%D
full_audit:success = pread
full_audit:failure = none
full_audit:facility = local7
full_audit:priority = notice
max log size = 100
panic action = /usr/share/samba/panic-action %d

#samba 4
server role = standalone server

#samba 3
security = user

passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = no
map to guest = Bad User
usershare allow guests = yes
guest account = nobody
create mask = 0666
directory mask = 0777
force create mode = 0666
force directory mode = 0777

[Documents]
comment = Office documents
path = /tmp/share
guest ok = yes
read only = yes
browseable = yes
force user = nobody
force group = nogroup
#vfs object = audit

from opencanary.

Thank you for the response. By logging variables do you mean the "full_audit:prefix =" items. From your original post it looks like the %D was causing the problem. My SMB config looks similar to yours. I did not see any issues standing out.

  [global]
       workgroup = company.local
       server string = Windows File Server
       netbios name = Server01
       dns proxy = no
       log file = /var/log/samba/log.all
       log level = 0
       syslog only = yes
       syslog = 0
       vfs object = full_audit
       full_audit:prefix = %U|%I|%i|%m|%S|%L|%R|%a|%T|%D
       full_audit:success = pread
       full_audit:failure = none
       full_audit:facility = local7
       full_audit:priority = notice
       max log size = 100
       panic action = /usr/share/samba/panic-action %d

       #samba 4
       server role = standalone server

       #samba 3
       #security = user

       passdb backend = tdbsam
       obey pam restrictions = yes
       unix password sync = no
       map to guest = bad user
       usershare allow guests = yes
    [Company]
       comment = Company Files
       path = /home/pi/Company
       guest ok = yes
       read only = yes
       browseable = yes
       #vfs object = audit

from opencanary.

Just want to make sure I am understanding the opencanary samba server. It should log and send an email (if SMTP configures) if someone logs in or attempts to a SMB share, similar to the other services. Thanks for the help. Really appreciate it.

from opencanary.

Don't mean to bring this back up, but I pretty much have the same config as you @carnal0wnage . Everything is getting logged in correctly in the 'samba-audit.log', however, I'm not receiving an e-mail alert for it. Basically, when someone access the dummy synology page by inputting the IP in a browser, I'll get an e-mail alert. However, when someone access the Samba share I created, it looks like it's getting logged correctly in 'samba-audit.log', but no e-mail. Any ideas on how I can fix this? I believe this would be similar to your initial problem. @mmaxwell5 were you able to get this to work? Because I think I'm having the same issue you were. Please let me know.

from opencanary.