[Samba] Tracking file activity

Ray Anderson rsa at rb-com.com
Mon Jul 30 16:24:56 GMT 2007

Been using it for a while now:

smb.conf entry:
# turn on auditing
vfs objects = audit

In the Samba howto collection, section 21.3:

21.3 Included Modules
21.3.1 audit
21.3.2 extd audit

And just for completeness:

21.3.1 audit
A simple module to audit file access to the syslog facility. The 
following operations are
• share
• connect/disconnect
• directory opens/create/remove
• file open/close/rename/unlink/chmod
21.3.2 extd audit
This module is identical with the audit module above except that it 
sends audit logs to
both syslog as well as the smbd log files. The log level for this module 
is set in the smb.
conf file.
Valid settings and the information that will be recorded are shown in 
the next table. Configuration of Auditing
This auditing tool is more felxible than most people readily will 
recognize. There are a
number of ways by which useful logging information can be recorded.
• Syslog can be used to record all transaction. This can be disabled by 
setting in the
smb.conf file syslog = 0.

Section 21.3. Included Modules
Table 21.1. Extended Auditing Log Information
Log Level Log Details - File and Directory Operations
0 Make Directory, Remove Directory, Unlink
1 Open Directory, Rename File, Change Permissions/ACLs
2 Open & Close File
10 Maximum Debug Level
• Logging can take place to the default log file (log.smbd) for all 
loaded VFS modules
just by setting in the smb.conf file log level = 0 vfs:x, where x is the 
log level.
This will disable general logging while activating all logging of VFS 
module activity
at the log level specified.
• Detailed logging can be obtained per user, per client machine, etc. 
This requires the
above together with the creative use of the log file settings.
An example of detailed per-user and per-machine logging can be obtained 
by setting
log level = /var/log/samba/%U.%m.log.
Auditing information often must be preserved for a long time. So that 
the log files do not
get rotated it is essential that the max log size = 0 be set in the 
smb.conf file.

Ryan Steele wrote:
> Hey List,
> I was wondering if and how one would go about tracking file activity 
> on a Samba server, for basic auditing purposes. I'd ideally like to 
> see what files where edited, by whom and when. I've done some RTFM and 
> a bit of searching around the 'net, but haven't found anything yet. 
> Even pointers to documentation on the subject would be welcome. Thanks 
> in advance for any tips!
> Best Regards,
> Ryan

More information about the samba mailing list