Reading Authentication Logs from Samba as Domain Controller using Syslog Parse

by Community Manager 2 weeks ago - edited a week ago by (1,020 Views)

This article is written to help users of Palo Alto Networks firewalls use User-ID Adoption by integrating an environment with Samba4 as Domain Controller.

 

It´s not the objective of this article to show how to install Linux, Samba or other software. Here we will demonstrate only how to configure software for sending logs to NGFW.

 

For this article, I used following software and versions:

Linux: Ubuntu 18.04 LTS

Samba: Samba version 4.7.6-Ubuntu

Firewall: PA220 with PAN-OS 8.0.11

 

Step1: Configure Samba to write logon events records in only one line.

  • Open smb.conf:

    vi /etc/samba/smb.conf
  • Add the following lines at end of the [global] section:

    log level = 3
    syslog = 3
    vfs object = full_audit
    full_audit:success = connect
    full_audit:failure = disconnect
    full_audit:prefix = %u %I | %S
    full_audit:facility = local5

    root@srvdc01:/etc/samba# cat smb.conf
    # Global parameters
    [global]
            dns forwarder = 8.8.8.8
            netbios name = SRVDC01
            realm = MYDOMAIN.LOCAL
            server role = active directory domain controller
            workgroup = MYDOMAIN
            idmap_ldb:use rfc2307 = yes
            log level = 3
            syslog = 3
            vfs object = full_audit
            full_audit:success = connect
            full_audit:failure = disconnect
            full_audit:prefix = %u %I | %S
            full_audit:facility = local5
  • Reload Samba configuration:
    # smbcontrol all reload-config
  • Check if logs are being registered as expected:
    # Tail -f /var/log/messages
    Jun 28 12:02:33 srvdc01 smbd_audit[1589]: MYDOMAIN\usuario01 192.168.70.51 | IPC_|connect|ok|IPC$

Now, we need to send these records to the Palo Alto Networks firewall.

  • Navigate to directory /etc/rsyslog.d/ see that other files already exist here, so create the following file:
    # Vi /etc/rsyslog.d/00-samba.conf
  • Insert the following line inside this file:
    if $programname == 'smbd_audit' and $syslogseverity == '5' then @192.168.10.6:514

    where 192.168.10.6 is MGMT IP Address.

Now, Samba is recording event logons in a better format; Rsyslog is reading these records, filtering as agreed as 00-samba.conf and sending to the IP Address previously set up.

  • Palo Alto SSH Session: Seeing syslog packets:
    admin@pa-220-lab> tcpdump filter "src 192.168.70.50 and port 514"
  • Open a new SSH session to the firewall and see mgmt.pcap in real time:
    admin@pa-220-lab> view-pcap follow yes mgmt-pcap mgmt.pcap 
    
    12:09:30.927704 IP 192.168.70.50.60943 > 192.168.10.6.syslog: SYSLOG local5.notice, length: 102
    12:09:56.286576 IP 192.168.70.50.60943 > 192.168.10.6.syslog: SYSLOG local5.notice, length: 95
    12:10:06.958614 IP 192.168.70.50.60943 > 192.168.10.6.syslog: SYSLOG local5.notice, length: 98
    12:10:08.723756 IP 192.168.70.50.60943 > 192.168.10.6.syslog: SYSLOG local5.notice, length: 99
    12:10:08.724217 IP 192.168.70.50.60943 > 192.168.10.6.syslog: SYSLOG daemon.notice, length: 124
    12:10:08.724708 IP 192.168.70.50.60943 > 192.168.10.6.syslog: SYSLOG daemon.notice, length: 178
    12:10:08.728748 IP 192.168.70.50.60943 > 192.168.10.6.syslog: SYSLOG local5.notice, length: 189
    12:10:08.729317 IP 192.168.70.50.60943 > 192.168.10.6.syslog: SYSLOG local5.notice, length: 189
    12:10:08.729916 IP 192.168.70.50.60943 > 192.168.10.6.syslog: SYSLOG local5.notice, length: 208

Step 2: Configure the firewall by creating a Syslog Parse Profile, a User Identification Monitored Server and check users from syslog:

  • Go to Device > User Identification, Edit the Palo Alto Networks User-ID Agent Setup > Syslog Filters and click Add.syslog parser profile.png
    Username Regex: MYDOMAIN\\\w*[-._]?\w+ 
    Address Regex: \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}
    
  • Create a User Identification Monitored Server object with the IP of the syslog sender, and add the Syslog Parse Profile as a filter.User Identification Monitored Server.png

 

After this, complete User-ID configuration on the firewall to allow User-ID Adoption.

 

When the firewall configuration is finished, you may be able to see Samba logon events, as follows:

Open firewall SSH Session:

admin@pa-220-lab> show user ip-user-mapping all type SYSLOG 

IP                                            Vsys   From    User                             IdleTimeout(s) MaxTimeout(s)
--------------------------------------------- ------ ------- -------------------------------- -------------- -------------
192.168.70.51                                 vsys1  SYSLOG  mydomain\usuario01                2696           2696         
Total: 1 users

 

 

See group-mapping:

admin@pa-220-lab> show user ip-user-mapping ip 192.168.70.51

IP address:    192.168.70.51 (vsys1)
User:          mydomain\usuario01
From:          SYSLOG
Idle Timeout:  2684s
Max. TTL:      2684s
Group(s):      mydomain\usuario01(30)
               cn=users,cn=builtin,dc=mydomain,dc=local(2147483674)
               cn=domain users,cn=users,dc=mydomain,dc=local(2147483696)

 

 

You can see SYSLOG information in real time on the GUI.

Go to Monitor -> Logs -> User-ID

Input this filter “( datasource eq syslog )” and press “Enter”. You will see:

 

User-ID log.png

 

 

 

Hope this article helps increase User-ID Adoption on Palo Alto Network next-generation firewalls or NGFW.

 

Please feel free to leave comments or questions below.

 

 

 

This article was contributed by @fabianopereira

 

About the Author


Fabiano works as post sales coordinator for LDC Soluções in Brazil and his main focus is Information Security, using composite platforms, based on NGFW, Endpoint, SaaS and cloud technologies.


Ignite 2018, Amsterdam, Netherlands
Ask Questions Get Answers Join the Live Community
Contributors