[Samba] Audit

rruegner robert at ruegner.org
Mon Sep 20 13:55:47 GMT 2004 

hi, i have something like this in the logs
[2004/04/22 08:35:55, 2] smbd/open.c:open_file(240)
   tanrit opened file tanrit/Vorlagen/winword2.doc read=Yes write=No 
(numopen=5)
  so its user time file what else do you miss?
after all youre right grep this is much work and will produce
a lot of big files , if you want to automatic monitor all this
actions

But i had also my problems

i tried to set
/var/log/samba/%U.%m.log
to have user at machine log but this fails, i guess of massive logging 
actions,
i would like to see a parameter in samba like this
log file commun = ...
log file user =
log file machine =

perhaps someone of the gurus may implement this some day.



---these are my normal entires
log level = 2
syslog = 0
log file = /var/log/samba/%m.log
max log size = 100000
----
in the shares i have the audit module enabled

Regards

Marco De Vitis schrieb:

> Hello,
> I'm using Samba 3.0.7, and I'd like to keep logs of open/delete/etc.
> files, to be able to tell which user accessed a particular file at a
> certain moment, and so on.
> 
> Samba logs are a bit confusing for this purpose.
> I thought the audit VFS module was best suited for the task, but I
> encountered some problems:
> 
> 1. it does not clearly report which user did each action. Ok, it reports
> the PID, which could _maybe_ be put in relation with the user by searching
> in smbd logs, but it's uneasy.
> 
> 2. It outputs lots of stuff, cluttering syslog. Ok, I can use syslog
> config to filter user.notice events in a different file, but this does not
> prevent syslog from becoming cluttered. Moreover, I tried this, and the
> file where I redirected the output grew up to more than 200 MB in a couple
> of days! :(
> 
> 3. I'm now trying extd_audit, but the result seems more or less the same,
> if not even worse, as it also clutters Samba logs with its output.
> 
> 4. I've noticed the presence of a "full_audit" module in my installation,
> without any docs. I had a look at the source, it contains some docs, and
> it seems interesting, but the docs do not list all available arguments for
> its options, and when trying to use it in smb.conf I get some fatal errors
> when starting Samba (sorry, cannot report the exact errors at the moment).
> 
> Can anyone shed some light on the subject?
> Thanks a lot.
>

More information about the samba mailing list