[Samba] Audit

Marco De Vitis starless at spin.it
Mon Sep 20 13:34:24 GMT 2004

I'm using Samba 3.0.7, and I'd like to keep logs of open/delete/etc.
files, to be able to tell which user accessed a particular file at a
certain moment, and so on.

Samba logs are a bit confusing for this purpose.
I thought the audit VFS module was best suited for the task, but I
encountered some problems:

1. it does not clearly report which user did each action. Ok, it reports
the PID, which could _maybe_ be put in relation with the user by searching
in smbd logs, but it's uneasy.

2. It outputs lots of stuff, cluttering syslog. Ok, I can use syslog
config to filter user.notice events in a different file, but this does not
prevent syslog from becoming cluttered. Moreover, I tried this, and the
file where I redirected the output grew up to more than 200 MB in a couple
of days! :(

3. I'm now trying extd_audit, but the result seems more or less the same,
if not even worse, as it also clutters Samba logs with its output.

4. I've noticed the presence of a "full_audit" module in my installation,
without any docs. I had a look at the source, it contains some docs, and
it seems interesting, but the docs do not list all available arguments for
its options, and when trying to use it in smb.conf I get some fatal errors
when starting Samba (sorry, cannot report the exact errors at the moment).

Can anyone shed some light on the subject?
Thanks a lot.


..."Homogenic", Björk 1997

More information about the samba mailing list