[Samba] VFS audit

Ryan Taylor rtaylor82 at gmail.com
Thu Feb 2 00:26:22 GMT 2006 

When I use 'vfs objects = audit' then I get nice messages in the syslog like:

Feb  1 17:17:57 tethys smbd_audit[19432]: opendir Workspace
Feb  1 17:17:58 tethys smbd_audit[19432]: open Workspace/test.txt (fd 27)
Feb  1 17:18:00 tethys smbd_audit[19432]: close fd 27
Feb  1 17:17:58 tethys smbd_audit[19432]: open Workspace/test.txt (fd
27) for writing
Feb  1 17:17:58 tethys smbd_audit[19432]: opendir Workspace
Feb  1 17:17:58 tethys smbd_audit[19432]: open Workspace/test.txt (fd 28)
Feb  1 17:17:58 tethys smbd_audit[19432]: close fd 28
Feb  1 17:17:58 tethys smbd_audit[19432]: close fd 27
Feb  1 17:18:02 tethys smbd_audit[19432]: disconnected

#########################################
But with 'audit' it only outputs to the syslog;
If I use 'extd_audit' then it outputs to both syslog and the logfile I
specified ( %U.%m.log )
However not the same... like:
[2006/02/01 17:12:46, 1] modules/vfs_extd_audit.c:audit_opendir(164)
  vfs_extd_audit: opendir Workspace
[2006/02/01 17:16:05, 10] modules/vfs_extd_audit.c:init_module(362)
  vfs_extd_audit: Debug class number of 'extd_audit': 18
[2006/02/01 17:16:07, 10] modules/vfs_extd_audit.c:audit_connect(135)
  Connected to service proj as user mance
[2006/02/01 17:16:07, 10] modules/vfs_extd_audit.c:audit_disconnect(145)
  Disconnected from VFS module extd_audit
[2006/02/01 17:16:07, 10] modules/vfs_extd_audit.c:audit_connect(135)
  Connected to service proj as user mance
[2006/02/01 17:16:05, 10] modules/vfs_extd_audit.c:audit_disconnect(145)
  Disconnected from VFS module extd_audit
######################################################

Not only is it harder to parse but it doesn't show
open/close/edit/etc.. of files and seems completely different than
'audit'.

I am just wondering if there is a way to get 'audit' results into the
logfile other than syslog.

Thank you for any advise and please let me know if I can include any
more examples or information!



On 2/1/06, Jeremy Allison <jra at samba.org> wrote:
> On Wed, Feb 01, 2006 at 03:45:50PM -0500, Ryan Taylor wrote:
> > I would like to turn on auditing for a particular share and have all
> > auditing go to the username.machinename.log files.  If I turn on audit
> > then no matter which way I configure it, it either goes to just syslog,
> > or both.  My goal is to just log to the samba files and take the wieght
> > off of syslog.  I have searched and searched but can't find but a
> > solution that works.  Any help would be greatly
> > appreciated.
> >
> > I have it set now as:
> > ...
> > log level = 0 vfs:2
> > syslog = 0
> > ...
>
> What vfs audit module are you using ? As far as I know the
> all go to syslog.
>
> Jeremy.
>


--
Ryan Taylor
Micro Consultants
770-789-2072
rtaylor82 at gmail.com
"If I had to live my life again, I'd make the same mistakes, only
sooner."  Tallulah Bankhead

More information about the samba mailing list