[Samba] Tracking file activity
Ray Anderson
rsa at rb-com.com
Mon Jul 30 16:24:56 GMT 2007
Been using it for a while now:
smb.conf entry:
# turn on auditing
vfs objects = audit
In the Samba howto collection, section 21.3:
21.3 Included Modules
21.3.1 audit
21.3.2 extd audit
And just for completeness:
21.3.1 audit
A simple module to audit file access to the syslog facility. The
following operations are
logged:
• share
• connect/disconnect
• directory opens/create/remove
• file open/close/rename/unlink/chmod
21.3.2 extd audit
This module is identical with the audit module above except that it
sends audit logs to
both syslog as well as the smbd log files. The log level for this module
is set in the smb.
conf file.
Valid settings and the information that will be recorded are shown in
the next table.
21.3.2.1 Configuration of Auditing
This auditing tool is more felxible than most people readily will
recognize. There are a
number of ways by which useful logging information can be recorded.
• Syslog can be used to record all transaction. This can be disabled by
setting in the
smb.conf file syslog = 0.
Section 21.3. Included Modules
Table 21.1. Extended Auditing Log Information
Log Level Log Details - File and Directory Operations
0 Make Directory, Remove Directory, Unlink
1 Open Directory, Rename File, Change Permissions/ACLs
2 Open & Close File
10 Maximum Debug Level
• Logging can take place to the default log file (log.smbd) for all
loaded VFS modules
just by setting in the smb.conf file log level = 0 vfs:x, where x is the
log level.
This will disable general logging while activating all logging of VFS
module activity
at the log level specified.
• Detailed logging can be obtained per user, per client machine, etc.
This requires the
above together with the creative use of the log file settings.
An example of detailed per-user and per-machine logging can be obtained
by setting
log level = /var/log/samba/%U.%m.log.
Auditing information often must be preserved for a long time. So that
the log files do not
get rotated it is essential that the max log size = 0 be set in the
smb.conf file.
Ryan Steele wrote:
> Hey List,
>
> I was wondering if and how one would go about tracking file activity
> on a Samba server, for basic auditing purposes. I'd ideally like to
> see what files where edited, by whom and when. I've done some RTFM and
> a bit of searching around the 'net, but haven't found anything yet.
> Even pointers to documentation on the subject would be welcome. Thanks
> in advance for any tips!
>
> Best Regards,
> Ryan
>
More information about the samba
mailing list