Reading Authentication Logs
Resolution
From Samba as Domain Controller using Syslog Parse
This article is to help users of Palo Alto Networks firewalls users with User-ID adoption by integrating an environment with Samba4 as Domain Controller.
It´s not the objective of this article to show how to install Linux, Samba or other software. Here we will demonstrate only how to configure software for sending logs to NGFW.
For this article, I used following software and versions:
Linux: Ubuntu 18.04 LTS
Samba: Samba version 4.7.6-Ubuntu
Firewall: PA220 with PAN-OS 8.0.11
Step1: Configure Samba to write logon events records in only one line.
-
Open smb.conf:
vi /etc/samba/smb.conf
- Add the following lines at end of the [global] section:
log level = 3
syslog = 3
vfs object = full_audit
full_audit:success = connect
full_audit:failure = disconnect
full_audit:prefix = %u %I | %S
full_audit:facility = local5root@srvdc01:/etc/samba# cat smb.conf
# Global parameters
[global]
dns forwarder = 8.8.8.8
netbios name = SRVDC01
realm = MYDOMAIN.LOCAL
server role = active directory domain controller
workgroup = MYDOMAIN
idmap_ldb:use rfc2307 = yes
log level = 3
syslog = 3
vfs object = full_audit
full_audit:success = connect
full_audit:failure = disconnect
full_audit:prefix = %u %I | %S
full_audit:facility = local5
- Reload Samba configuration:
# smbcontrol all reload-config
- Check if logs are being registered as expected:
# Tail -f /var/log/messages Jun 28 12:02:33 srvdc01 smbd_audit[1589]: MYDOMAIN\usuario01 192.168.70.51 | IPC_|connect|ok|IPC$
Now, we need to send these records to the Palo Alto Networks firewall.
- Navigate to directory /etc/rsyslog.d/ see that other files already exist here, so create the following file:
# Vi /etc/rsyslog.d/00-samba.conf
- Insert the following line inside this file:
if $programname == 'smbd_audit' and $syslogseverity == '5' then @192.168.10.6:514
where 192.168.10.6 is MGMT IP Address.
Now, Samba is recording event logons in a better format; Rsyslog is reading these records, filtering as agreed as 00-samba.conf and sending to the IP Address previously set up.
- Palo Alto SSH Session: Seeing syslog packets:
admin@pa-220-lab> tcpdump filter "src 192.168.70.50 and port 514"
- Open a new SSH session to the firewall and see mgmt.pcap in real time:
admin@pa-220-lab> view-pcap follow yes mgmt-pcap mgmt.pcap
12:09:30.927704 IP 192.168.70.50.60943 > 192.168.10.6.syslog: SYSLOG local5.notice, length: 102
12:09:56.286576 IP 192.168.70.50.60943 > 192.168.10.6.syslog: SYSLOG local5.notice, length: 95
12:10:06.958614 IP 192.168.70.50.60943 > 192.168.10.6.syslog: SYSLOG local5.notice, length: 98
12:10:08.723756 IP 192.168.70.50.60943 > 192.168.10.6.syslog: SYSLOG local5.notice, length: 99
12:10:08.724217 IP 192.168.70.50.60943 > 192.168.10.6.syslog: SYSLOG daemon.notice, length: 124
12:10:08.724708 IP 192.168.70.50.60943 > 192.168.10.6.syslog: SYSLOG daemon.notice, length: 178
12:10:08.728748 IP 192.168.70.50.60943 > 192.168.10.6.syslog: SYSLOG local5.notice, length: 189
12:10:08.729317 IP 192.168.70.50.60943 > 192.168.10.6.syslog: SYSLOG local5.notice, length: 189
12:10:08.729916 IP 192.168.70.50.60943 > 192.168.10.6.syslog: SYSLOG local5.notice, length: 208
Step 2: Configure the firewall by creating a Syslog Parse Profile, a User Identification Monitored Server and check users from syslog:
- Go to Device > User Identification, Edit the Palo Alto Networks User-ID Agent Setup > Syslog Filters and click Add.
Username Regex: MYDOMAIN\\\w*[-._]?\w+ Address Regex: \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}
- Create a User Identification Monitored Server object with the IP of the syslog sender, and add the Syslog Parse Profile as a filter.
After this, complete User-ID configuration on the firewall to allow User-ID Adoption.
When the firewall configuration is finished, you may be able to see Samba logon events, as follows:
Open firewall SSH Session:
admin@pa-220-lab> show user ip-user-mapping all type SYSLOG
IP Vsys From User IdleTimeout(s) MaxTimeout(s)
--------------------------------------------- ------ ------- -------------------------------- -------------- -------------
192.168.70.51 vsys1 SYSLOG mydomain\usuario01 2696 2696
Total: 1 users
See group-mapping:
admin@pa-220-lab> show user ip-user-mapping ip 192.168.70.51
IP address: 192.168.70.51 (vsys1)
User: mydomain\usuario01
From: SYSLOG
Idle Timeout: 2684s
Max. TTL: 2684s
Group(s): mydomain\usuario01(30)
cn=users,cn=builtin,dc=mydomain,dc=local(2147483674)
cn=domain users,cn=users,dc=mydomain,dc=local(2147483696)
You can see SYSLOG information in real time on the GUI.
Go to Monitor -> Logs -> User-ID
Input this filter “( datasource eq syslog )” and press “Enter”. You will see:
Hope this article helps increase User-ID Adoption on Palo Alto Network next-generation firewalls or NGFW.
Please feel free to leave comments or questions below.
This article was contributed by @fabianopereira
About the Author
Fabiano works as post sales coordinator for LDC Soluções in Brazil and his main focus is Information Security, using composite platforms, based on NGFW, Endpoint, SaaS and cloud technologies.