SMB Auditing

All SMB authentications are recorded in Oracle Solaris audit logs and can be accessed by using the audit tools. The SMB authentications are logged for all domain or local users. The SMB events AUE_smbd_session and AUE_smbd_logoff are part of the lo class which audits logins, logouts, and screen locks. The praudit command enables you to get a list of audit trail records. The audit files are stored in the /var/audit directory.

To view the list of files in the /var/audit directory, use the following command:

$ ls -l /var/audit/

You can select a file in the /var/audit directory and view its records by using one of the following ways:

• To view all login and logout audit records in a file, use the following command:

  $ auditreduce -c lo /var/audit/filename | praudit -ls

• To view all SMB login audit records in a file, use the following command:

  $ auditreduce -c lo -m AUE_smbd_session /var/audit/filename | praudit -ls

• To view all SMB logout audit records in a file, use the following command:

  $ auditreduce -c lo -m AUE_smbd_logoff /var/audit/filename | praudit -ls

• To generate an HTML report of all login and logout audit records, use the following command:

  $ auditreduce -c lo /var/audit/* | praudit -x | xsltproc > filename.html

For more information about auditing in Oracle Solaris, see Managing Auditing in Oracle Solaris 11.4. You can also see the auditreduce(8) and praudit(8) man pages.