Although it is certainly important to ensure that your machines are secure from outside attack, you also need to periodically audit the activity of your KDC to look for any malicious activity. Depending on your KDC vendor, the amount of logging that occurs by default can vary from none (Windows 2000’s default configuration) to a lot (Heimdal & MIT). In this section, we will examine the information that KDCs log, how to enable logging on your KDC, and how to read and understand the resulting log files.
The logging facilities built in to these KDC implementations not only serve auditing purposes, but they play a big role in debugging issues that may arise during the operation of your Kerberos system. First, let’s take a look back at the Kerberos protocol exchange. At each point where the KDC is contacted, the KDC usually provides an option to log that information to a file.
Each KDC has different auditing options, and different procedures for enabling auditing.
To enable logging in the MIT KDC, the
krb5.conf file can contain a
[logging] stanza with several variables
that control where the logging output goes. Here are the
kdc variable controls where the log for the KDC’s
authentication service and Ticket Granting Service is sent.
The logs produced in the file specified in the KDC variable
contain all of the transactions between users, servers, and
variable controls where the logs for the