MONITORING user's file activity in SAMBA (2.0.7)

Joel Hammer Joel at
Fri Oct 5 20:31:07 GMT 2001

> > My goal is to figure out which client computer
> > issued a specific file/dir deletion on the
> > samba-server. The problem is: every client
> > machine uses the same user name to logon to
> > the shares (as I wrote: screwed-up-architecture).
> Fix the architecture.  Once you have done that, and users using their
> own logins, then look into the audit vfs example module (may require
> coding for your particular situation).
One surprising thing about logging shares.
Even though I use a guest (ftp) for all my shares, with logging set to 3,
the log shows the original user name opening the file but the guest user closing
the file.
Don't forget, you can capture the ip of the client machine and other id
information of the machine and use it to set up a unique log file for each
Artful use of preexec
and postexec scripts might be of use, too, say to strip out stuff from the
log you want to save or log info about the user and his machine when he logs
on.  For example, just fooling around, there was only one
reply_unlink comment in my log file after deleting a file. (reply_unlink :
\tmp\DEMING.qpw ) Surprisingly, it didn't give the name of the user who
unlinked the file.  You could set up
a post exec script to look through the log file and email you with the name
of the file unlinked during that session, or do the same thing with a cron
job. You could keep the log files small with a directive in your smb.conf file,
But, I would probably follow the pro's suggestion.

More information about the samba mailing list