[Samba] Logging file creation with full_audit
darren.hildebrand at primefocusworld.com
Tue Jun 15 11:26:46 MDT 2010
On 15/06/2010 12:22 PM, Jeremy Allison wrote:
> On Tue, Jun 15, 2010 at 12:20:34PM -0500, Darren Hildebrand wrote:
>> On 15/06/2010 12:09 PM, Jeremy Allison wrote:
>>> On Tue, Jun 15, 2010 at 10:04:57AM -0500, Darren Hildebrand wrote:
>>>> I'm trying to set up a samba server to audit only the file operations
>>>> that I care about, which are create, modify, delete, and rename (for
>>>> files and folders). I've got the full_audit vfs module working well,
>>>> except that I haven't been able to figure out what to set it to log (in
>>>> the "full_audit:success" setting) to include file creation and
>>>> modification. If I log pwrite, then it floods the logs with many
>>>> entries for every single file write, especially when writing large
>>>> files. I get almost 200 messages when writing a 10 MB file. Is there
>>>> something I can log to make it write a single entry on file creation or
>>>> modification? "Write" doesn't seem to log anything, but pwrite is far
>>>> too verbose for my needs.
>>> We don't use "write" anymore - all writes go through pwrite.
>>> You want to log "open", not "pwrite".
>> Thanks, it looks like open is a lot closer to what I'm looking for.
>> Just one more question with that - it looks like "open" logs reads and
>> writes, where I'm really just concerned about writes. I can see that
>> they're distinguished with the "r" and "w" near the end of the log line,
>> but is there any way to log only the "w" entries? I'm sure I could come
>> up with a way to filter it using syslog as well, but I was hoping to be
>> able to not have them sent to syslog in the first place if there's a way
>> to do that.
> Not without code changes to the audit module I'm afraid. What
> you want is to log all opens with the O_CREAT flag set, but
> the audit module isn't specific enough to do that. You'll have
> to filter post logging I'm afraid (or change the "audit_open"
> call to check for the O_CREAT flag in the "flags" variable
> before logging).
All right, I'll find a way to deal with the logging that I'm getting
then. It's already a LOT cleaner than it was with pwrite.
Thanks a lot for your quick and helpful responses!
More information about the samba