[Samba] Extended Auditing Module working as described now

rruegner robert at ruegner.org
Thu Sep 30 01:06:13 GMT 2004


Hi @ll and John
log level = 2 vfs:1
log file = /var/log/samba/%U.%m.log
syslog = 0
now works ,as i wanted the logs to be
Thx


John H Terpstra schrieb:
>>-------- Original Message --------
>>Subject: [Samba] Re: VFS Extended Auditing Module Debug Information
>>From: "Marco De Vitis" <starless at spin.it>
>>Date: Mon, September 27, 2004 9:44 am
>>To: samba at lists.samba.org
>>
>>Il 23/09/2004, alle ore 8:22, John H Terpstra ha scritto:
>>
>>
>>>Given recent discussion on this list I have just updated the master Samba-Docs
>>>information regarding the Debug Class (Log Level) settings and the audit
>>
>>Great, thanks!
>>
>>Anyway something is still not clear to me. I quote from the updated howto:
>>
>>
>>>Logging can take place to the default log file (log.smbd) for all loaded
>>>VFS modules just be setting in the smb.conf file log level = 0 vfs:x,
>>>where x is the log level. This will disable general logging while
>>>activating all logging of VFS module activity at the log level
>>>specified.
>>
>>Apart from "be" -> "by" (I suppose), does this mean that a global log
> 
> 
> Oops. I'll fix that typo.
> 
> 
>>level of zero is NECESSARY for correct extd_audit logging? Or is it just a
>>suggestion?
> 
> 
> Suggestion to keep log noise level down.
> 
> 
>>Also, this "vfs:x" parameter looks like a global VFS parameter. Does this
>>mean that any other VFS module which outputs debug information (I don't
>>know if others exist) will be affected by it?
> 
> 
> Correct. All VFS modules will be affected. The alternative is to modify
> a VFS module so it will read the log level info and thereby affect 
> just its own actions.
> 
> 
>>>	log level = 0 vfs:[012]
>>>	syslog = 0
>>>ie:
>>>	log level = 0 vfs:0
>>>or	log level = 0 vfs:1
>>>or	log level = 0 vfs:2
>>>
>>>In this example, syslog information will be only critical general samba
>>
>>I just tried these settings:
>>
>>        log file = /var/log/samba/%m.%U.log
>>        syslog = 0
>>	log level = 0 vfs:2
>>	max log size = 0
>>
>>...and restarted samba (3.0.7), but I still get lots of smbd_audit stuff
>>in syslog, and ONLY in syslog (i.e. not in samba logfiles): open, close,
>>opendir, rename, chmod...
> 
> 
> 
> I've had the same report from others. I'll look into this when I get
> some time.
> 
> 
>>>Despite recent criticism regarding the difficulty of establishing acceptable
>>
>>I'm not critic regarding audit, I'm critic regarding docs about it. ;)
> 
> 
> ;)
> 
> 
>>Let me explain: when using Samba 2.x I expressed on some mailing lists the
>>desire for good auditing on file access, and I was told that the audit VFS
>>module in Samba 3 was the answer to my problems. I now finally got to use
>>Samba 3, but I felt lost regarding the way to obtain usable audit logs,
>>and so a bit disappointed.
> 
> 
> Understood. I just discovered that someone has been hacking on the
> source code and has changed the way it works without updating the
> documentation! Argh!
> 
> 
>>As far as I can see, this is a fairly popular topic, so maybe it should be
>>documented in more detail, covering all doubts users seem to express on
>>the subject.
>>Anyway your new additions to the howto are already a good step forward, I
>>now have a clearer idea of what I should do.
> 
> 
> OK. More to follow when I get some time to sort this out.
> 
> - John T.
> 
> 
>>--
>>Ciao,
>>  Marco.
>>
>>..."Kid A", Radiohead 2000
>>
>>--
>>To unsubscribe from this list go to the following URL and read the
>>instructions:  http://lists.samba.org/mailman/listinfo/samba
> 
> 


More information about the samba mailing list