SMB File Change Auiditing

[Svedriall]

I work at an educational institution where our curriculum files are pretty valuable in a sense. We are going to be changing our file server to a different machine. I was testing TrueNAS 12 for the time being. I was able to enable full_audit on some of the shared. Read about VFS modules and tested some out too, changed the path to where I wanted and can see the logs. The problem is that the logs are way too much and way too complicated to read and analyze. I've tried to use "Netwrix" to hook into the system and get reports and notifications from there. It didn't work for some reason. If anyone has any kind of experience to make it work, I'd be delighted to no end.

Here is the question: Is there a plugin/system tutorial to actually get event reports to some kind of platform (preferably Slack notification) when a user deletes, opens, modifies, creates or moves a file in real-time?

I've been trying and searching for a solution for a few days, by no means I'm an expert but here are my findings:

• Netwrix: Didn't work, couldn't connect or get data from the server, no documentation about BSD support, assumed not compatible.
• GrayLog Plugin: Couldn't make it work, given management address doesn't respond. Tried a few installations, no cigar. Not exactly what i want anyway.
• full_audit: Too much output, too complex to read.
• kqueue: Coulnd't find any guide to install it on a Jail.
• ZFS snapshot diff: Method too static to get any real-time stream.

Thank you.

 

[sretalla]

I think you need to persist with the full_audit logging and have your syslogs go to a graylog jail (which you will need to get working)...

You can then do filtering in graylog to make the output sensible and have alerts go to slack via graylog (which it can do).

If you do your research properly, I'm sure it can give you what you're asking for that way.

I was able to install a graylog plugin jail without issue and get into the admin portal, so you'll need to be more specific about what didn't work for you if you want some help with that. (did you connect to http://jail.ip:9000/ ?)

 

[Svedriall]

Hi,

I was thinking the same, just got confirmation from Netwrix that it doesn't support the the OS at all.

The problem with the graylog is that it seems like the jail is getting created without a hitch, it gives me the IP and login detail on installation notes, but the IP that was provided, which is the same with TrueNAS but with 9000 port as you mentioned, seems like doesn't exist and page can't be found when tried to login.

What kind of information would you like me to look up?

 

[sretalla]

I would suggest running the plugin as a VNET jail (with DHCP if you can).

It worked fine for me like that.

 

[sretalla]

What kind of information would you like me to look up?

You should start by doing the VNET jail thing I suggested which will give the jail its own IP address

Then when you can use Graylog, look through what's being logged and think about keywords (like renameat, open, etc) which you can then use to trigger alerts, which can then in turn trigger notifications to slack.

 

[Svedriall]

Yeah, tried that a moments ago but selecting DHCP instead of NAT results in an error towards the end of installation:

Code:

pkg.FreeBSD.org could not be reached via DNS

 

[sretalla]

It sounds like your Network | Global Configuration may not have DNS defined or the Default Gateway may be missing.

 

[Svedriall]

Sadly, I couldn't figure out what the problem could be about the DNS nameserver or my gateway, tried giving it my local DNS provider as well, error stays the same.

Error: graylog had a failure Exception: RuntimeError Message: pkg.FreeBSD.org could not be reached via DNS, check graylog's network configuration Partial plugin destroyed

If i configure some things manually, I can then install, basically doing NAT manually, but that ends up being un-reachable.

You can find my Global Configuration screen below.

 

[sretalla]

OK, can we go step by step through how you're setting up the plugin (screenshots)?

 

[Svedriall]

Heya,

I've given up on TrueNAS Plugin installation or jailing it altogether and installed as a standalone on a different VM, not sure what kind of problems it's gonna bring but at least I can connect to the web interface and mingle with it. Thank you for trying to help.

Now that I'm here, I expected more of a documentation / path forwards onto tying TrueNAS SMB Logs and Graylog together to get a stream of logs running, but I'm even more confused with how I'm supposed to make it work. Are there any documentation thats actually related to Graylog + TrueNAS or am i missing some key knowledge regarding SMB/Logging/Auditing?

Trying to learn.

 

[sretalla]

I expected more of a documentation / path forwards onto tying TrueNAS SMB Logs and Graylog together to get a stream of logs running, but I'm even more confused with how I'm supposed to make it work

In Graylog, you make an input stream...

System | Inputs...

Select input as Syslog UDP and "Launch New Input".

Not much to do other than naming it and selecting a port.

Then in TrueNAS, System | Advanced, Input your Syslog Server IP (and optionally the port like 192.168.1.2:5141 if you changed the port from 514)

That's it. You will then have logs in Graylog.

Now you just need to follow Graylog documentation to work out filtering, alerting and Notifications.