[Samba] Re: Audit

Marco De Vitis starless at spin.it
Tue Sep 21 14:05:08 GMT 2004

Il 20/09/2004, alle ore 15:55, rruegner ha scritto:

> hi, i have something like this in the logs
> [2004/04/22 08:35:55, 2] smbd/open.c:open_file(240)
>    tanrit opened file tanrit/Vorlagen/winword2.doc read=Yes write=No 
> (numopen=5)
>   so its user time file what else do you miss?

Some actions are not logged.
My need came when an empty directory appeared from nowhere in the root of
a samba share. My boss asked me to check what happened, but I could find
no trace at all of the dir creation.

Indeed, I just tried with Samba 3.0.7, log level = 2 and extd_audit
active: from a Win2000 client I created and then deleted a directory
inside a share, and nothing about this was logged.

So it seems also audit modules are useless to me. :-/

Maybe more actions would be logged if using log level = 3, but this also
creates loads of uninteresting (to me) log lines.

The man page for smb.conf says that "This parameter has been extended
since the 2.2.x series, now it allow to specify the debug level for
multiple debug classes", but how can I know which debug classes are
available to use, and how log level values affect them regarding logged

> i tried to set
> /var/log/samba/%U.%m.log
> to have user at machine log but this fails, i guess of massive logging 

That's strange, I have almost the same setting and it works fine:
log file = /var/log/samba/%m.%U.log


..."Uncle Moe's Space Ranch", Garsed/Helmeric/Willis/Chambers/Kinsey 2001

More information about the samba mailing list