[Samba] human understandable log format?

Jeremy Allison jra at samba.org
Wed May 25 08:36:00 MDT 2011


On Wed, May 25, 2011 at 04:29:51PM +0200, Andreas Heinlein wrote:
> Am 25.05.2011 15:45, schrieb ion coting:
> > Anyone... help!?
> >
> > On Thu, May 19, 2011 at 4:19 PM, ion coting <ioncoting at gmail.com> wrote:
> >
> >> Hi,
> >> I would like to look at a logfile containing simple summary lines like
> >> this:
> >>
> >> timestamp - client ip - user - action (eg. login, connect to a share) -
> >> result (ok, password wrong, permission denied, io error, etc)
> >>
> >> I find log.smb and log.nmb very complicated and smbaudit too; also i would
> >> like to have all this information in a single log gile.
> >>
> >> How can I achieve this? Is there any native samba combination of options in
> >> smb.conf that can result in achieving this type of log? Can (and how?) I
> >> configure samba in such a way that some external tools can parse and extract
> >> this information from logfiles?
> >>
> >> thank you
> >>
> >>
> 
> I'd like to see this too, but I don't think it's possible. I have wasted
> several hours when debugging samba problems and dealing with
> hard-to-read logfiles. But there is no way to configure logging except
> for the amount (log level) and destination.
> 
> It may help a bit to use substitutions in the log file destinations, so
> e.g.using "log file = /var/log/samba/log.%I.%U" in your smb.conf will
> create one log file per client and user on the server, like
> /var/log/samba/log.10.0.0.24.bob for user bob on client 10.0.0.24.
> Still, it's sometimes difficult to get actions and results sorted out.

What would really help is if someone went through the "things"
that Samba does, and comes out with a list of "user loggable"
events, such as "user logged on", "connection dropped", "connected
to share" etc. If the list were small enough (i.e. so it didn't
turn into a parallel debug system) we could then instrument
the code at these points, then emit event-log records that
were readable by the Windows event log viewer (or a UNIX
equivalent) - or even to a separate "user events" log file
(or syslog).

It would have to be a limited list, and not include IO
events (opening file, read file etc.) as these are better
handled by the audit modules, or when we add the audit ACLs,
the audit ACL logging.

Someone from HP (not mentioning any names here but he might
remember who he is :-) did promise a couple of years ago at
SambaXP to do this, but I'm guessing he didn't have time.

If someone came up with this I'd certainly help push it
into the code.

Jeremy.


More information about the samba mailing list