[Samba] Logging file creation with full_audit

Darren Hildebrand darren.hildebrand at primefocusworld.com
Tue Jun 15 11:26:46 MDT 2010


On 15/06/2010 12:22 PM, Jeremy Allison wrote:
> On Tue, Jun 15, 2010 at 12:20:34PM -0500, Darren Hildebrand wrote:
>    
>> On 15/06/2010 12:09 PM, Jeremy Allison wrote:
>>      
>>> On Tue, Jun 15, 2010 at 10:04:57AM -0500, Darren Hildebrand wrote:
>>>
>>>        
>>>> I'm trying to set up a samba server to audit only the file operations
>>>> that I care about, which are create, modify, delete, and rename (for
>>>> files and folders).  I've got the full_audit vfs module working well,
>>>> except that I haven't been able to figure out what to set it to log (in
>>>> the "full_audit:success" setting) to include file creation and
>>>> modification.  If I log pwrite, then it floods the logs with many
>>>> entries for every single file write, especially when writing large
>>>> files.  I get almost 200 messages when writing a 10 MB file.  Is there
>>>> something I can log to make it write a single entry on file creation or
>>>> modification?  "Write" doesn't seem to log anything, but pwrite is far
>>>> too verbose for my needs.
>>>>
>>>>          
>>> We don't use "write" anymore - all writes go through pwrite.
>>> You want to log "open", not "pwrite".
>>>
>>> Jeremy.
>>>
>>>        
>> Thanks, it looks like open is a lot closer to what I'm looking for.
>> Just one more question with that - it looks like "open" logs reads and
>> writes, where I'm really just concerned about writes.  I can see that
>> they're distinguished with the "r" and "w" near the end of the log line,
>> but is there any way to log only the "w" entries?  I'm sure I could come
>> up with a way to filter it using syslog as well, but I was hoping to be
>> able to not have them sent to syslog in the first place if there's a way
>> to do that.
>>      
> Not without code changes to the audit module I'm afraid. What
> you want is to log all opens with the O_CREAT flag set, but
> the audit module isn't specific enough to do that. You'll have
> to filter post logging I'm afraid (or change the "audit_open"
> call to check for the O_CREAT flag in the "flags" variable
> before logging).
>
> Jeremy.
>    

All right, I'll find a way to deal with the logging that I'm getting 
then.  It's already a LOT cleaner than it was with pwrite.

Thanks a lot for your quick and helpful responses!

Darren


More information about the samba mailing list