[Samba] Tracking file activity
Ryan Steele
steele at agora-net.com
Mon Jul 30 17:00:18 GMT 2007
Ray Anderson wrote:
> Been using it for a while now:
>
> smb.conf entry:
> # turn on auditing
> vfs objects = audit
>
> In the Samba howto collection, section 21.3:
>
> 21.3 Included Modules
> 21.3.1 audit
> 21.3.2 extd audit
>
> And just for completeness:
>
> 21.3.1 audit
> A simple module to audit file access to the syslog facility. The
> following operations are
> logged:
> • share
> • connect/disconnect
> • directory opens/create/remove
> • file open/close/rename/unlink/chmod
> 21.3.2 extd audit
> This module is identical with the audit module above except that it
> sends audit logs to
> both syslog as well as the smbd log files. The log level for this
> module is set in the smb.
> conf file.
> Valid settings and the information that will be recorded are shown in
> the next table.
> 21.3.2.1 Configuration of Auditing
> This auditing tool is more felxible than most people readily will
> recognize. There are a
> number of ways by which useful logging information can be recorded.
> • Syslog can be used to record all transaction. This can be disabled
> by setting in the
> smb.conf file syslog = 0.
>
> Section 21.3. Included Modules
> Table 21.1. Extended Auditing Log Information
> Log Level Log Details - File and Directory Operations
> 0 Make Directory, Remove Directory, Unlink
> 1 Open Directory, Rename File, Change Permissions/ACLs
> 2 Open & Close File
> 10 Maximum Debug Level
> • Logging can take place to the default log file (log.smbd) for all
> loaded VFS modules
> just by setting in the smb.conf file log level = 0 vfs:x, where x is
> the log level.
> This will disable general logging while activating all logging of VFS
> module activity
> at the log level specified.
> • Detailed logging can be obtained per user, per client machine, etc.
> This requires the
> above together with the creative use of the log file settings.
> An example of detailed per-user and per-machine logging can be
> obtained by setting
> log level = /var/log/samba/%U.%m.log.
> Auditing information often must be preserved for a long time. So that
> the log files do not
> get rotated it is essential that the max log size = 0 be set in the
> smb.conf file.
>
>
>
> Ryan Steele wrote:
>> Hey List,
>>
>> I was wondering if and how one would go about tracking file activity
>> on a Samba server, for basic auditing purposes. I'd ideally like to
>> see what files where edited, by whom and when. I've done some RTFM
>> and a bit of searching around the 'net, but haven't found anything
>> yet. Even pointers to documentation on the subject would be welcome.
>> Thanks in advance for any tips!
>>
>> Best Regards,
>> Ryan
>>
Ray,
I appreciate your advice. I am experimenting with an implementation of
the extd_audit module now on a test cluster - thanks for pointing me in
the direction of the HOWTO, I should have looked there before bumping
the list. Thanks again.
Ryan
--
Ryan Steele
Systems Administrator
Greater Philadelphia Area
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.1 (GNU/Linux)
mQELBEaFKjABCADLYm6aPkaSU0QWXu5hqocuyIwl1d1NUuoVJ97tBUqkR3IOJMZC
mLhMF3x1XE5zykajE6mIAKR8uVgubrHRBbTZtM+vH4u2ZboY+NBEzABZqj+NQtnW
dVEeFPKsWA991iUV9hyj2H51fVQa1wa7xM7Im75iSnSZJ+oxFWzPQrv0znFBs5H0
xVlX4i1zSICqM4WRjBsZTGG5PcaG9i1TS/txBM8YWp0eZAHnpuY3BXzW6EPuKe7w
7vfXOWo/FOd0PaMY/yMWgL5YfvhdZ7FwWjDbhYp/ypnVk9DOLLFm0sH8S20BelUR
+zd86ksGzipjSOC21D/q9PFn6DtV5JFH7qEBAAYptCJSeWFuIFN0ZWVsZSA8c3Rl
ZWxlQGFnb3JhLW5ldC5jb20+iQE0BBMBAgAeBQJGhSowAhsDBgsJCAcDAgMVAgMD
FgIBAh4BAheAAAoJEI4H9qM054NXJYYH/jw938/CKdbebceG3CTXGUoyqrALVE0A
hvh1Pj9E+77yII0F7FGgEXnHmu7Af0dLBmDPzJYWTkFW0r7CXaQJst5zb0d47Zeq
XSwyQHd2OuJxqhBDO88Bqsj4wT0ups0m9POjm0ppqBJi0USE54qGkbPsV+lhVa2r
4+lKcKT5DrT3SANjZ71vjSH9cPR85cn27uU14VuC1p774eA1KaB55ajfGBZkJQM7
I6BWVU9wzG2sSz1GDQtww1b0KUeoltVhto+6mABfwYcxBOkiHH9BQ9dqjB+kqJZ1
TtXFhWprKaivN4BMCs3cVJzuRDJv1bT6d8pvYi1ybM18iJ77M2nn818=
=6P8/
-----END PGP PUBLIC KEY BLOCK-----
More information about the samba
mailing list