From 33c03ebe451409dce9298ad8ff0b3e482c121316 Mon Sep 17 00:00:00 2001
From: Daniel Berteaud <daniel@firewall-services.com>
Date: Tue, 12 Jan 2021 19:23:28 +0100
Subject: [PATCH] Small fixes in check_samba_dc (skip unparsable logs, and
 handle message with NT_STATUS_NO_SUCH_USER

---
 zabbix_scripts/check_samba_dc_sudo | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/zabbix_scripts/check_samba_dc_sudo b/zabbix_scripts/check_samba_dc_sudo
index 56b55d4..835a2c8 100644
--- a/zabbix_scripts/check_samba_dc_sudo
+++ b/zabbix_scripts/check_samba_dc_sudo
@@ -147,6 +147,8 @@ if (defined $ou){
     open (my $auth_log, '<', $audit_auth_log) or die "Couldn't open $audit_auth_log : $!\n";
     foreach my $line (<$auth_log>){
       my $event = from_json($line);
+      # Skip the log entry if we can't parse JSON
+      next if (not defined $event);
       my $type = $event->{type};
       # We're only interested in Authentication and Authorization messages
       next if ($type ne 'Authentication' and $type ne 'Authorization');
@@ -159,7 +161,7 @@ if (defined $ou){
       my $subject;
       if ($type eq 'Authentication'){
         # Accounts ending with $ are for computers
-        $subject = ($event->{$type}->{mappedAccount} =~ m/\$$/) ? 'computers' : 'users';
+        $subject = (($event->{$type}->{mappedAccount} || $event->{$type}->{clientAccount} || '')=~ m/\$$/) ? 'computers' : 'users';
         if ($event->{Authentication}->{status} eq 'NT_STATUS_OK'){
           $json->{activity}->{authentications}->{$subject}->{success}++;
         } else {