[Samba] VFS Extended Auditing Module Debug Information

rruegner robert at ruegner.org
Thu Sep 23 12:40:15 GMT 2004 

Hi John ,
i just tried your examples with suse 9.0 samba 3.07

in globals
log file = /var/log/samba/%m.log
         log level = vfs:2
         syslog = 0
works but i have only create and rename messages in the log
a deletion is named unlinked ( sound miracle to me )

log file = /var/log/samba/%U.%m.log
creates test.testmachine.log
but only extd_audit is written to .testmachine.log
(%U.%m.log this doesnt work )

i have it like this in the share
[files3]
         comment = public files
         path = /files3
         read only = No
         guest ok = Yes
         browseable = Yes
         csc policy = disable
         vfs objects = vscan-clamav, netatalk, extd_audit, recycle
         recycle:keeptree = yes
         recycle:versions = yes
         recycle:touch = yes
         recycle:exclude = ?~$*,~$*,*.tmp,index*.pl,index*.htm*,*.temp,*.TMP
         recycle:exclude_dir=  /tmp,/temp,/cache
         recycle:repository = .recycle/.recycle.%u
         recycle:noversions = *.doc,*.xls,*.ppt

wheres my mistake?
and do you no what this full_audit module is?

-----------
[2004/09/23 14:37:14, 1] modules/vfs_extd_audit.c:audit_fchmod_acl(322)
   vfs_extd_audit: fchmod_acl Neu Textdokument.txt mode 0x1e4 failed: 
Keine Daten verfügbarvfs_extd_audit: opendir ./
[2004/09/23 14:37:14, 1] modules/vfs_extd_audit.c:audit_opendir(141)

[2004/09/23 14:37:40, 1] modules/vfs_extd_audit.c:audit_rename(232)
   vfs_extd_audit: rename old: ./Neu Textdokument.txt new: ./testfile.txt
[2004/09/23 14:37:40, 1] modules/vfs_extd_audit.c:audit_opendir(141)

[2004/09/23 14:37:45, 0] modules/vfs_extd_audit.c:audit_unlink(250)
   vfs_extd_audit: unlink testfile.txt
[2004/09/23 14:37:45, 1] modules/vfs_extd_audit.c:audit_opendir(141)
-------------

log level = 0 vfs:2 produces nothing in the logs

Regards

John H Terpstra schrieb:
> Folks,
> 
> Given recent discussion on this list I have just updated the master Samba-Docs 
> information regarding the Debug Class (Log Level) settings and the audit 
> information each causes to be logged. This will appear in on-line versions of 
> the Samba-HOWTO-Collection within 24 hours. To obtain an updated version 
> point your browser at: 
> 	http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf
> 
> The purpose of the extd_audit (Extended Audit) module is to permit logging of 
> critical file and directory access to BOTH syslog as well as to individual 
> log files. To create individual log file you can use:
> 
> 	log file = /var/log/samba/%U.%m.log
> 	log level = 0 vfs:[012]
> 	syslog = 0
> ie:
> 	log level = 0 vfs:0
> or	log level = 0 vfs:1
> or	log level = 0 vfs:2
> 
> In this example, syslog information will be only critical general samba 
> information, plus full detail for all VFS modules up to the log level 
> specified.
> 
> Please refer to the documentation in the VFS Modules chapter - the information 
> logged has changed from what was previously documented.
> 
> This will create an individual per-user-per-client log of all level 0, 1, or 2
> action. See also the updated chapter on Debugging Samba (Chapter 34.3.1).
> 
> Despite recent criticism regarding the difficulty of establishing acceptable 
> auditing logs, this module is in use in a number of sites that require strict 
> auditability of file and directory operations.
> 
> Enjoy.
> 
> - John T.

More information about the samba mailing list