[Samba] Samba audit logging not working as expected

Charles c at catcons.co.uk
Tue May 8 09:01:57 MDT 2012

Hi :-)

This is cross-posted from Linux Questions where it has not been answered.

This Samba configuration does not put anything in
/var/log/samba/log.audit as expected. The messages are triplicated into

Here is the global section of smb.conf created by testparm
smb.conf.source > smb.conf (no error messages)
===== smb.conf begins =====
        workgroup = ACUR
        netbios name = LS1
        server string = Server
        map to guest = Bad User
        syslog = 0
        smb ports = 139
        load printers = No
        preferred master = Yes
        domain master = Yes
        wins support = Yes
        remote announce =
        vfs_full_audit:priority = NOTICE
        vfs_full_audit:facility = LOCAL7
        vfs_full_audit:failure = all
        vfs_full_audit:success = all
        vfs_full_audit:prefix = %u|%I|%S
        guest ok = Yes
        vfs objects = full_audit
===== smb.conf ends =====

Here is /etc/rsyslog.d/samba-audit.conf (first line wrapped)
===== samba-audit.conf begins =====
if $syslogfacility-text == 'local7' and $programname == 'smbd' then
& ~
===== samba-audit.conf ends =====

The rsyslog and samba daemons were restarted.

After browsing a share using a WXP system,
/var/log/{messages,syslog,user.log} got messages but
/var/log/samba/log.audit was empty.

This on Debian squeeze with 2:3.5.6~dfsg-3squeeze6 and rsyslog 4.6.4-2.

More information about the samba mailing list