diff options
Diffstat (limited to '')
-rw-r--r-- | docs-xml/smbdotconf/logging/loglevel.xml | 171 |
1 files changed, 171 insertions, 0 deletions
diff --git a/docs-xml/smbdotconf/logging/loglevel.xml b/docs-xml/smbdotconf/logging/loglevel.xml new file mode 100644 index 0000000..434c5d0 --- /dev/null +++ b/docs-xml/smbdotconf/logging/loglevel.xml @@ -0,0 +1,171 @@ +<samba:parameter name="log level" + type="string" + context="G" + handler="handle_debug_list" + substitution="1" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<synonym>debuglevel</synonym> +<description> + <para> + The value of the parameter (a string) allows the debug level (logging level) to be specified in the + <filename moreinfo="none">smb.conf</filename> file. + </para> + + <para>This parameter has been extended since the 2.2.x + series, now it allows one to specify the debug level for multiple + debug classes and distinct logfiles for debug classes. This is to give + greater flexibility in the configuration of the system. The following + debug classes are currently implemented: + </para> + + <itemizedlist> + <listitem><para><parameter moreinfo="none">all</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">tdb</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">printdrivers</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">lanman</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">smb</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">rpc_parse</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">rpc_srv</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">rpc_cli</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">passdb</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">sam</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">auth</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">winbind</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">vfs</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">idmap</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">quota</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">acls</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">locking</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">msdfs</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">dmapi</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">registry</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">scavenger</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">dns</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">ldb</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">tevent</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">auth_audit</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">auth_json_audit</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">kerberos</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">drs_repl</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">smb2</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">smb2_credits</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">dsdb_audit</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">dsdb_json_audit</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">dsdb_password_audit</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">dsdb_password_json_audit</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">dsdb_transaction_audit</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">dsdb_transaction_json_audit</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">dsdb_group_audit</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">dsdb_group_json_audit</parameter></para></listitem> + </itemizedlist> + + <para>Various modules register dynamic debug classes at first usage:</para> + <itemizedlist> + <listitem><para><parameter moreinfo="none">catia</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">dfs_samba4</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">extd_audit</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">fileid</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">fruit</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">full_audit</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">media_harmony</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">preopen</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">recycle</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">shadow_copy</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">shadow_copy</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">unityed_media</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">virusfilter</parameter></para></listitem> + </itemizedlist> + + <para>To configure the logging for specific classes to go into a different + file then <smbconfoption name="log file"/>, you can append + <emphasis>@PATH</emphasis> to the class, eg <parameter>log level = 1 + full_audit:1@/var/log/audit.log</parameter>.</para> + + <para>Authentication and authorization audit information is logged + under the <parameter>auth_audit</parameter>, and if Samba was not compiled with + --without-json, a JSON representation is logged under + <parameter>auth_json_audit</parameter>.</para> + + <para>Support is comprehensive for all authentication and authorisation + of user accounts in the Samba Active Directory Domain Controller, + as well as the implicit authentication in password changes. In + the file server, NTLM authentication, SMB and RPC authorization is + covered.</para> + + <para>Log levels for <parameter>auth_audit</parameter> and + <parameter>auth_audit_json</parameter> are:</para> + <itemizedlist> + <listitem><para>2: Authentication Failure</para></listitem> + <listitem><para>3: Authentication Success</para></listitem> + <listitem><para>4: Authorization Success</para></listitem> + <listitem><para>5: Anonymous Authentication and Authorization Success</para></listitem> + </itemizedlist> + + <para>Changes to the AD DC <command moreinfo="none">sam.ldb</command> + database are logged under the <parameter>dsdb_audit</parameter> + and a JSON representation is logged under + <parameter>dsdb_json_audit</parameter>.</para> + + <para>Group membership changes to the AD DC <command + moreinfo="none">sam.ldb</command> database are logged under the + <parameter>dsdb_group_audit</parameter> and a JSON representation + is logged under + <parameter>dsdb_group_json_audit</parameter>.</para> + + <para>Log levels for <parameter>dsdb_audit</parameter>, + <parameter>dsdb_json_audit</parameter>, + <parameter>dsdb_group_audit</parameter>, + <parameter>dsdb_group_json_audit</parameter> and + <parameter>dsdb_json_audit</parameter> are:</para> + <itemizedlist> + <listitem><para>5: Database modifications</para></listitem> + <listitem><para>5: Replicated updates from another DC</para></listitem> + </itemizedlist> + + <para>Password changes and Password resets in the AD DC are logged + under <parameter>dsdb_password_audit</parameter> and a JSON + representation is logged under the + <parameter>dsdb_password_json_audit</parameter>. Password changes + will also appears as authentication events via + <parameter>auth_audit</parameter> and + <parameter>auth_audit_json</parameter>.</para> + + <para>Log levels for <parameter>dsdb_password_audit</parameter> and + <parameter>dsdb_password_json_audit</parameter> are:</para> + <itemizedlist> + <listitem><para>5: Successful password changes and resets</para></listitem> + </itemizedlist> + + <para>Transaction rollbacks and prepare commit failures are logged under + the <parameter>dsdb_transaction_audit</parameter> and a JSON representation is logged under the + <parameter>dsdb_transaction_json_audit</parameter>. </para> + + <para>Log levels for <parameter>dsdb_transaction_audit</parameter> and + <parameter>dsdb_transaction_json</parameter> are:</para> + + <itemizedlist> + <listitem><para>5: Transaction failure (rollback)</para></listitem> + <listitem><para>10: Transaction success (commit)</para></listitem> + </itemizedlist> + + <para>Transaction roll-backs are possible in Samba, and whilst + they rarely reflect anything more than the failure of an + individual operation (say due to the add of a conflicting record), + they are possible. Audit logs are already generated and sent to + the system logs before the transaction is complete. Logging the + transaction details allows the identification of password and + <command moreinfo="none">sam.ldb</command> operations that have + been rolled back, and so have not actually persisted.</para> + + <warning><para> Changes to <command + moreinfo="none">sam.ldb</command> made locally by the <command + moreinfo="none">root</command> user with direct access to the + database are not logged to the system logs, but to the + administrator's own console. While less than ideal, any user able + to make such modifications could disable the audit logging in any + case. </para></warning> +</description> +<value type="default">0</value> +<value type="example">3 passdb:5 auth:10 winbind:2</value> +<value type="example">1 full_audit:1@/var/log/audit.log winbind:2</value> +</samba:parameter> |