Full_audit - prefix lost with non-home shares

Dewayne Geraghty dewaynegeraghty at gmail.com
Mon Jul 25 09:23:14 UTC 2016


I'm very happy with full_audit as it processes the following correctly for
[homes] share.  Unfortunately the same full_audit attributes do not display
the prefix when requested for any other share.

The full_audit setup is
full_audit:prefix = %u|%D|%S|%m|%M|%I|%d|%P
full_audit:success = connect opendir open unlink
full_audit:failure = none
full_audit:facility = LOCAL6
full_audit:priority = NOTICE

I have applied this to each share individually (per the man page), and also
globally (after removing from the specific shares); the outcome is the
same. Samba is restarted after each change to the config file.

This is the result for a "home" share
Jul 25 14:28:01 hermes smbd_audit:
chris||chris|noddy|10.0.5.3|10.0.5.3|96270|/home/chris|open|ok|r|D
Jul 25 16:01:57 hermes smbd_audit:
chris||chris|noddy|10.0.5.3|10.0.5.3|98550|/home/chris|open|ok|w|D/test.txt
Jul 25 16:01:57 hermes smbd_audit:
chris||chris|noddy|10.0.5.3|10.0.5.3|98550|/home/chris|open|ok|r|D

but for any other share, no prefix
Jul 25 16:27:00 hermes smbd_audit: |open|ok|w|Goodbye.txt
Jul 25 16:27:00 hermes smbd_audit: |open|ok|r|.
Jul 25 16:27:00 hermes smbd_audit: |unlink|ok|Goodbye.txt
Jul 25 16:27:00 hermes smbd_audit: |open|ok|r|.

This is running on an i386 FreeBSD 10.3 machine.  All other services are
running correctly; and samba is running as a Standalone system. The Samba
configuration has been unchanged for around a year.  The version of Samba
is currently 4.3.9.  (I have attempted to install and run Samba 4.4.5 but
that will be a separate email stream)

I welcome any advise/suggestions as I've tried various combinations
(including removing other vfs layers) and I'm out of ideas.

Regards, Dewayne.

-- 
*Disclaimer:*



*As implied by email protocols, the information in this message is not
confidential. Any intermediary or recipient may inspect, modify (add),
copy, forward, reply to, delete, or filter email for any purpose unless
said parties are otherwise obligated.  Nothing in this message may be
legally binding without cryptographic evidence of its integrity and/or
confidentiality.*


More information about the samba-technical mailing list