Holger Hetterich hhetter at samba.org
Thu Nov 22 04:18:40 MST 2012

Am 21.11.2012 11:47, schrieb L9WEB:
> Good afternoon. I plan to develop a system similar to sarg (squid) for
> creation of friendly logs of the AUDIT VFS.

smb traffic analyzer can do this, for a number of VFS operations, but 
not the full scale of vfs_audit/vfs_full_audit.

It can produce things like:
-- userXYZ opened file "blahblah" on share $SHARE in domain $DOMAIN at 
-- userXYZ wrote 1005 bytes to file "blahblah" on $SHARE in domain 

It produces XML as output which can be converted to pretty much anything.

> I wonder about the operations, what expression I use to:
> - Open a file in MS-WORD or ADOBE PDF in a terminal-WINDOWS
not sure what you want to reach for. In the VFS layer however you can 
determine the file name and you can see if something has been opened, 
closed, written to, or read from. With the rest of the data you can 
catch there, you can write a program that puts out text that is able to 
be easily read by humans.

Or, write a program that just interprets the output of audit/full_audit.

-- Holger

More information about the samba-technical mailing list