[Samba] VFS Extended Auditing output situation

Marco De Vitis starless at spin.it
Tue Feb 8 11:34:32 GMT 2005

I'm using Samba 3.0.10 as file server and PDC for some Win2000 Pro
clients, and I'd like to get detailed and clear logs of file/dir
creation/open/save/deletion on some shares. The standard logs are a bit
"too much" for me. The ideal would be a well balanced setting of the
extd_audit VFS module, but when trying, some months ago, I discovered it
behaved differently than expected, see

Has anything changed since then?
I'm trying it this very moment, using the following global parameters:

        log file = /var/log/samba/%m.%U.log
        syslog = 0
        log level = 0 vfs:2
        max log size = 0

The share I'm interested into has the following parameter:

        vfs objects = recycle extd_audit

...plus some options for recycle, and of course all standard share
definition parameters.

Using this configuration, according to the docs, nothing should go into
syslog, and samba logs should only contain extd_audit output; quoting from
the official howto:

Syslog can be used to record all transaction. This can be disabled by
setting in the smb.conf file syslog = 0.

Logging can take place to the default log file (log.smbd) for all loaded
VFS modules just by setting in the smb.conf file log level = 0 vfs:x,
where x is the log level. This will disable general logging while
activating all logging of VFS module activity at the log level specified.

Detailed logging can be obtained per user, per client machine, etc. This
requires the above together with the creative use of the log file

Instead, here is what I can see:

- extd_audit output is going *to syslog only*, and it does not contain
info about the user who executes the action, which makes it somewhat
useless for multiuser environments; ok, you can find out the user by
looking at the PID, but it's not an easy job if you are searching through
megabytes of old logs;

- almost nothing is logged by extd_audit, regarding file reads! There are
10 users currently connected and working, and in 1 hour only the following
few operations have been logged:

feb  8 11:37:44 gpserver smbd_audit[24489]: open Personali/SMo/Martina/Martina -1-COMPRESSA 2.jpg (fd 26)
feb  8 12:01:52 gpserver smbd_audit[24506]: open rsaenh.dll (fd -1) failed: No such file or directory
feb  8 12:19:39 gpserver smbd_audit[24506]: open quasi.rl4 (fd -1) failed: No such file or directory
feb  8 12:19:39 gpserver smbd_audit[24506]: open sicure.rl4 (fd -1) failed: No such file or directory

...plus many failed opens of Desktop.ini, many opendirs and various
connect/disconnnect messages.
I also expressly asked a user (I'm remotely connected) to open a specific
JPG file in that share, she did (I checked with ls -l --time=atime), and
nothing was logged about it.

- only a few smbd errors are logged into Samba logs in /var/log/samba,
e.g. "couldn't find service" and "string overflow by 1".

This definitely is not the expected behaviour.
Any clues?


..."Have a Little Faith", Bill Frisell 1993

More information about the samba mailing list