[Samba] Re: VFS Extended Auditing Module Debug Information

John H Terpstra samba at primastasys.com
Mon Sep 27 18:03:31 GMT 2004 

> -------- Original Message --------
> Subject: [Samba] Re: VFS Extended Auditing Module Debug Information
> From: "Marco De Vitis" <starless at spin.it>
> Date: Mon, September 27, 2004 9:44 am
> To: samba at lists.samba.org
>
> Il 23/09/2004, alle ore 8:22, John H Terpstra ha scritto:
>
> > Given recent discussion on this list I have just updated the master Samba-Docs
> > information regarding the Debug Class (Log Level) settings and the audit
>
> Great, thanks!
>
> Anyway something is still not clear to me. I quote from the updated howto:
>
> > Logging can take place to the default log file (log.smbd) for all loaded
> > VFS modules just be setting in the smb.conf file log level = 0 vfs:x,
> > where x is the log level. This will disable general logging while
> > activating all logging of VFS module activity at the log level
> > specified.
>
> Apart from "be" -> "by" (I suppose), does this mean that a global log

Oops. I'll fix that typo.

> level of zero is NECESSARY for correct extd_audit logging? Or is it just a
> suggestion?

Suggestion to keep log noise level down.

>
> Also, this "vfs:x" parameter looks like a global VFS parameter. Does this
> mean that any other VFS module which outputs debug information (I don't
> know if others exist) will be affected by it?

Correct. All VFS modules will be affected. The alternative is to modify
a VFS module so it will read the log level info and thereby affect 
just its own actions.

>
> > 	log level = 0 vfs:[012]
> > 	syslog = 0
> > ie:
> > 	log level = 0 vfs:0
> > or	log level = 0 vfs:1
> > or	log level = 0 vfs:2
> >
> > In this example, syslog information will be only critical general samba
>
> I just tried these settings:
>
>         log file = /var/log/samba/%m.%U.log
>         syslog = 0
> 	log level = 0 vfs:2
> 	max log size = 0
>
> ...and restarted samba (3.0.7), but I still get lots of smbd_audit stuff
> in syslog, and ONLY in syslog (i.e. not in samba logfiles): open, close,
> opendir, rename, chmod...


I've had the same report from others. I'll look into this when I get
some time.

>
> > Despite recent criticism regarding the difficulty of establishing acceptable
>
> I'm not critic regarding audit, I'm critic regarding docs about it. ;)

;)

>
> Let me explain: when using Samba 2.x I expressed on some mailing lists the
> desire for good auditing on file access, and I was told that the audit VFS
> module in Samba 3 was the answer to my problems. I now finally got to use
> Samba 3, but I felt lost regarding the way to obtain usable audit logs,
> and so a bit disappointed.

Understood. I just discovered that someone has been hacking on the
source code and has changed the way it works without updating the
documentation! Argh!

>
> As far as I can see, this is a fairly popular topic, so maybe it should be
> documented in more detail, covering all doubts users seem to express on
> the subject.
> Anyway your new additions to the howto are already a good step forward, I
> now have a clearer idea of what I should do.

OK. More to follow when I get some time to sort this out.

- John T.

>
> --
> Ciao,
>   Marco.
>
> ..."Kid A", Radiohead 2000
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list