[Samba] Samba Audit Logs
Robin G
robinghere3 at gmail.com
Sun May 6 10:05:20 UTC 2018
Hi Rowland,
here is the smb.conf. All shares have the full_audit
[global]
workgroup = RESOLVS
netbios name = DC1
security = USER
obey pam restrictions = yes
local master = yes
domain master = yes
preferred master = yes
domain logons = yes
os level = 50
####
LDAP definitions
####
### Logging
syslog = 0
log file = /var/log/samba/%m
Log level = 0 vfs:0
max log size = 0
full_audit:prefix = %u|%I|%S
full_audit:failure = none
full_audit:success = mkdir rmdir read pread write pwrite rename
unlink
full_audit:facility = local5
full_audit:priority = notice
[homes]
create mask = 0700
directory mask = 0700
browseable = No
read only = No
path = %H
vfs objects = full_audit
[data]
path = /srv/data
force group = allusers
read only = No
inherit permissions = Yes
hide unreadable = Yes
vfs objects = full_audit
Regards,
Rob
On Sun, May 6, 2018 at 12:20 AM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Sat, 5 May 2018 11:11:21 -0300
> "Ethy H. Brito via samba" <samba at lists.samba.org> wrote:
>
> > On Sat, 5 May 2018 23:40:47 +1000
> > Robin G via samba <samba at lists.samba.org> wrote:
> >
> > ...
> >
> >
> > > full_audit:prefix = %u|%I|%S
> > > full_audit:failure = none
> > > full_audit:success = mkdir rmdir read pread write pwrite
> > > rename unlink
> > > full_audit:facility = local5
> > > full_audit:priority = notice
> > >
> > >
> > > The following in /etc/rsyslog.d/00-samba-audit.conf
> > > local5.notice /var/log/samba/audit.log
> > > & ~
> > >
> > > and the following in /etc/rsyslog.d/50-default.conf
> > > *.*;auth,authpriv.none -/var/log/syslog
> > > *.*;local5,auth,authpriv.none -/var/log/syslog
> > > local5.notice /var/log/samba/audit.log
> > >
> > > The samba service and rsyslog have been restarted multiple times
> >
> >
> > I think you may be missing
> >
> > vfs objects = full_audit
> >
> > in each and every share you want to monitor.
> >
> > Ethy
> >
> >
>
> You are guessing there and this isn't surprising, as the OP didn't give
> us the main piece of evidence, their smb.conf. Without this, anything
> suggested would be a guess.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list