[Samba] vfs_full_audit log question

Kees van Vloten keesvanvloten at gmail.com
Mon Sep 11 19:14:03 UTC 2023 

On 11-09-2023 18:49, d tbsky via samba wrote:
> Kees van Vloten via samba<samba at lists.samba.org>
>>
>> Op 11-09-2023 om 12:14 schreef d tbsky via samba:
>>> Hi:
>>>     today my user report one directory at the samba share disappeared.
>>> I had create the vfs_full_audit like below:
>>>
>>>      vfs objects = recycle full_audit
>>>      full_audit:priority = notice
>>>      full_audit:facility = local5
>>>      full_audit:success = mkdirat renameat unlinkat
>>>      full_audit:failure = none
>>>      full_audit:prefix = %u|%I
>>>
>>> but I can not find the related log about the missing directory.
>>> normally I can find deleted/renamed files via the log. I wonder if
>>> there is some other vfs operations  I should add for monitor
>>> directories?
>>>
>>> thanks a lot for your help!
>> Is your question, what full_audit property to add to see a missing
>> directory? What exactly do you want to see, the deletion or  a failing
>> call that tries to read it or something else?
> Hi:
>     sorry. I found the missing directory in the audit log. my user told
> me the incorrect information so it took me long time to check the log.
> I use vfs_full_audit in case when user can not find their stuff, I can
> understand what happened.
> however currently vfs_full_audit write too many useless data even with
> my current configuration above.
> for example it would log the data below:
>
> Sep 11 17:57:32 file smbd_audit[42497]: [2023/09/11 17:57:32.207301,
> 0] ../../lib/util/access.c:372(allow_access)
> Sep 11 17:57:32 file smbd_audit[42497]:  Denied connection from
> 10.11.1.19 (10.11.1.19)
> Sep 11 17:57:34 file smbd_audit[42497]: [2023/09/11 17:57:34.265839,
> 0] ../../lib/util/access.c:372(allow_access)
> Sep 11 17:57:34 file smbd_audit[42497]:  Denied connection from
> 10.11.1.19 (10.11.1.19)
> Sep 11 17:57:43 file smbd_audit[35644]: [2023/09/11 17:57:43.858408,
> 0] ../../source3/smbd/service.c:168(chdir_current_service)
> Sep 11 17:57:43 file smbd_audit[35644]:  chdir_current_service:
> vfs_ChDir(/share/samba/home/h347) failed: Permission denied. Current
> token: uid=11270, gid=10515, 3 groups: 11270 10515 11292
>
> I hope it log only useful data like:
> Sep 11 17:37:03 file smbd_audit[35621]:
> DOM\bb0809|10.11.11.130|renameat|ok|/share/samba/home/bb0809/a.doc|/share/samba/home/bb0809/B09E48D8.tmp
>
> I am use RHEL9.  so by default the log data will flow from journald to
> rsyslog to the file I defined (/var/log/samba/audit.log). which make
> more useless data in the system.
> I tried to use samba configuration to make the work simple:
>
> log level = 1full_audit:1@/var/log/samba/audit.log
>
> but the log format is like below:
> [2023/09/11 18:04:10.938942,  1]
> ../../source3/modules/vfs_full_audit.c:643(do_log)
>    DOM\h1701|10.99.6.175|unlinkat|ok|/share/samba/public/863B5E69.tmp
> [2023/09/11 18:04:21.948413,  1]
> ../../source3/modules/vfs_full_audit.c:643(do_log)
>    DOM\h1701|10.99.6.175|renameat|ok|/share/samba/public/a.xlsx|/share/samba/public/.recycle/h1701/a.xlsx
>
> I got additional " ../../source3/modules/vfs_full_audit.c:643(do_log)"
>   for every log. it is really meaningless since the log file is made
> only for "vfs_full_audit".
>
> so I am thinking about how to get rid of the useless log data. maybe I
> should filter them out via rsyslog and forget about the garbage at
> jounrald. but it is much better if the logging won't goto journald at
> the beginning.

You have already set it to log to rsyslog to the local5 facility, all 
you have to do is configure rsyslog to write samba audit logs to 
/var/log/samba/audit.log. Put something like this:

:programname, startswith, "smbd_audit" {
  -/var/log/samba/audit_smb.log
  stop
}


in /etc/rsyslog.d/samba_audit_smb.conf and restart rsyslog (disclaimer 
this is tested on debian, I don't have redhat)

If it is still too noisy you add additional filtering in the rsyslog 
conf file.

- Kees.

> below is my smb.conf.  I think many useless data come from " hosts
> allow" definition.
>
> [global]
>     workgroup = DOM
>     netbios name = file
>     realm = AD.DOM.COM
>     security = ads
>     idmap config *:backend = tdb
>     idmap config *:range = 5000-9999
>     idmap config DOM:ackend = rid
>     idmap config DOM:range = 10000-999999
>     idmap config DOM:unix_primary_group = yes
>     template homedir = /share/samba/home/%U
>     template shell = /bin/false
>     winbind enum users = yes
>     winbind enum groups = yes
>     winbind nested groups = yes
>     winbind use default domain = yes
>     ntlm auth =  ntlmv1-permitted
>     server min protocol = NT1
>     veto files = /.DS_Store/._.DS_Store/
>
>     # disable printing
>     load printers = no
>     printing = bsd
>     printcap name = /dev/null
>     disable spoolss = yes
>
>     vfs objects = recycle full_audit
>     # audit setting
>     full_audit:priority = notice
>     full_audit:facility = local5
>     full_audit:success = mkdirat renameat unlinkat
>     full_audit:failure = none
>     full_audit:prefix = %u|%I
>
> [in]
>     path = /share/samba/public/in
>     read only = No
>     create mask = 0775
>     force create mode = 0775
>     directory mask = 0775
>     hide unreadable = No
>
>     # recycle bin
>     recycle:keeptree = yes
>     recycle:versions = yes
>     recycle:touch = yes
>     recycle:repository = .recycle/%U
>     recycle:exclude = *.tmp,*.temp,*.o,*.obj,*.TMP,*.TEMP
>     recycle:noversions = *.tmp,*.temp,*.o,*.obj,*.TMP,*.TEMP
>
>     hosts allow = 10.11.11. 10.11.253. 10.11.100.0/255.255.255.192
> 10.12.1.160 10.11.249.
>
> [out]
>     path = /share/samba/public/out
>     read only = No
>     create mask = 0775
>     force create mode = 0775
>     directory mask = 0775
>     hide unreadable = No
>
>     # recycle bin
>     recycle:keeptree = yes
>     recycle:versions = yes
>     recycle:touch = yes
>     recycle:repository = .recycle/%U
>     recycle:exclude = *.tmp,*.temp,*.o,*.obj,*.TMP,*.TEMP
>     recycle:noversions = *.tmp,*.temp,*.o,*.obj,*.TMP,*.TEMP
>
>     hosts allow = 10.11.100. 10.11.253.
>
> [mis]
>     path = /share/samba/public/mis
>     read only = No
>     create mask = 0775
>     force create mode = 0775
>     directory mask = 0775
>     hide unreadable = No
>
> [mis$]
>     path = /share/samba/public/mis
>     read only = Yes
>     browseable = No
>
> [homes]
>     read only = No
>     browseable = No
>
>     # recycle bin
>     recycle:keeptree = yes
>     recycle:versions = yes
>     recycle:touch = yes
>     recycle:repository = .recycle
>     recycle:exclude = *.tmp,*.temp,*.o,*.obj,*.TMP,*.TEMP
>     recycle:noversions = *.tmp,*.temp,*.o,*.obj,*.TMP,*.TEMP
>
>     hosts allow = 10.11.11. 10.11.253. 10.10.10. 10.11.100.0/255.255.255.192
>

More information about the samba mailing list