Closed greycel closed 1 year ago
Hi @greycel,
Thanks for writing in. That workaround looks like a good way to go. We have actually noticed that the log reading code is quite fragile because it breaks if the logging changes for newer Samba versions (its something we need to figure out going forward).
If you want to create a PR, we would be happy to look through it and try figure a better way of handling these kinds of issues.
Hi @greycel,
I have made some improvements to the samba log line handling. Thanks for reporting this (and for supplying helpful information). I'm closing this issue since it has been resolved.
I've deployed opencanary service docker image on Rocky Linux v8, as per the documentation configured SAMBA, RSyslog service and was able to get the logs into "/var/log/samba-audit.log" but couldn't see the alerts in opencanary debug console.
Upon further analysis and troubleshooting, observed that log entries generated by "RSYSLOG v8.2102.0-10.el8" in "/var/log/samba-audit.log" were slightly different than what I've seen in other smb related issues,
Sample log entries:
Log entries have some random ID appended to "smbd_audit". In this case, "smbd_audit[37113]:" makes the regular expression in the "samba.py" module file fail.
As a workaround, I've made the below changes to the "samba.py" module file:
There could be a better approach, but this worked for me.