diff --git a/scripts/base/protocols/smb/main.bro b/scripts/base/protocols/smb/main.bro
index 246f578022..8e8ad032dd 100644
--- a/scripts/base/protocols/smb/main.bro
+++ b/scripts/base/protocols/smb/main.bro
@@ -5,6 +5,7 @@ module SMB;
 export {
 	redef enum Log::ID += { 
 		CMD_LOG,
+		AUTH_LOG,
 		MAPPING_LOG,
 		FILES_LOG
 	};
@@ -36,8 +37,7 @@ export {
 	## The file actions which are logged.
 	const logged_file_actions: set[Action] = {
 		FILE_OPEN,
-		FILE_READ,
-		FILE_WRITE,
+		FILE_CLOSE, 
 
 		PIPE_OPEN,
 		PIPE_CLOSE,
@@ -95,6 +95,13 @@ export {
 		share_type          : string &log &default="UNKNOWN";
 	};
 
+	type AuthInfo: record {
+		ts         : time   &log &optional;
+		username   : string &log &optional;
+		hostname   : string &log &optional;
+		domainname : string &log &optional;
+	};
+
 	## This record is for the smb_cmd.log
 	type CmdInfo: record {
 		## Timestamp of the command request
@@ -142,6 +149,8 @@ export {
 		current_file   : FileInfo    &optional;
 		## A reference to the current tree.
 		current_tree   : TreeInfo    &optional;
+		## A reference to the currently authenticated user.
+		current_auth   : AuthInfo    &optional;
 		
 		## Indexed on MID to map responses to requests.
 		pending_cmds : table[count] of CmdInfo   &optional;
@@ -202,6 +211,7 @@ redef likely_server_ports += { ports };
 event bro_init() &priority=5
 	{
 	Log::create_stream(CMD_LOG, [$columns=SMB::CmdInfo]);
+	Log::create_stream(AUTH_LOG, [$columns=SMB::AuthInfo]);
 	Log::create_stream(FILES_LOG, [$columns=SMB::FileInfo]);
 	Log::create_stream(MAPPING_LOG, [$columns=SMB::TreeInfo]);
 
diff --git a/scripts/base/protocols/smb/smb1-main.bro b/scripts/base/protocols/smb/smb1-main.bro
index b0d7ef58b5..fc45d02e5a 100644
--- a/scripts/base/protocols/smb/smb1-main.bro
+++ b/scripts/base/protocols/smb/smb1-main.bro
@@ -282,29 +282,22 @@ event smb_ntlm_negotiate(c: connection, hdr: SMB1::Header, request: SMB::NTLMNeg
 	{
 	c$smb_state$current_cmd$sub_command = "NTLMSSP_NEGOTIATE";
 	}
-
-event smb1_error(c: connection, hdr: SMB1::Header, is_orig: bool)
-	{
-	if ( ! is_orig )
-		{
-		# This is for deferred commands only.
-		# The more specific messages won't fire for errors
-		if ( SMB::write_cmd_log &&
-		     ( c$smb_state$current_cmd$status !in SMB::ignored_command_statuses ) &&
-		     ( c$smb_state$current_cmd$command in SMB::deferred_logging_cmds ) )
-			{
-			Log::write(SMB::CMD_LOG, c$smb_state$current_cmd);
-			}
-		}
-	}
 	
-event smb_ntlm_authenticate(c: connection, hdr: SMB1::Header, request: SMB::NTLMAuthenticate)
+event smb_ntlm_authenticate(c: connection, hdr: SMB1::Header, request: SMB::NTLMAuthenticate) &priority=5
 	{
 	c$smb_state$current_cmd$sub_command = "NTLMSSP_AUTHENTICATE";
 
+	c$smb_state$current_auth = SMB::AuthInfo($ts=network_time());
+	if ( request?$domain_name )
+		c$smb_state$current_auth$domainname = request$domain_name;
+	if ( request?$workstation )
+		c$smb_state$current_auth$hostname = request$workstation;
+	if ( request?$user_name )
+		c$smb_state$current_auth$username = request$user_name;
+
 	local user: string = "";
 	if ( ( request?$domain_name && request$domain_name != "" ) && ( request?$user_name && request$user_name != "" ) )
-		user = fmt("%s\\%s", request$domain_name, request$user_name);	
+		user = fmt("%s\\%s", request$domain_name, request$user_name);
 	else if ( ( request?$workstation && request$workstation != "" ) && ( request?$user_name && request$user_name != "" ) )
 		user = fmt("%s\\%s", request$workstation, request$user_name);
 	else if ( request?$user_name && request$user_name != "" )
@@ -325,6 +318,11 @@ event smb_ntlm_authenticate(c: connection, hdr: SMB1::Header, request: SMB::NTLM
 		}
 	}
 
+event smb_ntlm_authenticate(c: connection, hdr: SMB1::Header, request: SMB::NTLMAuthenticate) &priority=5
+	{
+	Log::write(SMB::AUTH_LOG, c$smb_state$current_auth);
+	}
+
 event smb1_transaction_request(c: connection, hdr: SMB1::Header, name: string, sub_cmd: count)
 	{
 	c$smb_state$current_cmd$sub_command = SMB1::trans_sub_commands[sub_cmd];
@@ -387,7 +385,22 @@ event smb_pipe_request(c: connection, hdr: SMB1::Header, op_num: count)
 
 	c$smb_state$current_cmd$argument = arg;
 	}
-	
+
+event smb1_error(c: connection, hdr: SMB1::Header, is_orig: bool)
+	{
+	if ( ! is_orig )
+		{
+		# This is for deferred commands only.
+		# The more specific messages won't fire for errors
+		if ( SMB::write_cmd_log &&
+		     c$smb_state$current_cmd$status !in SMB::ignored_command_statuses &&
+		     c$smb_state$current_cmd$command in SMB::deferred_logging_cmds )
+			{
+			Log::write(SMB::CMD_LOG, c$smb_state$current_cmd);
+			}
+		}
+	}
+
 #event smb1_transaction_setup(c: connection, hdr: SMB1::Header, op_code: count, file_id: count)
 #	{
 #	local uuid = SMB::rpc_uuids[c$smb_state$pipe_map[file_id]];