[Samba] 4.1.0 auditing : can't get only wanted vfs operations to log // solved

me at electronico.nc me at electronico.nc
Tue Nov 5 00:33:52 MST 2013


Le 05/11/2013 15:54, me at electronico.nc a écrit :
> HI all,
>
> So I'd like to log the user's operations on some shares.
> As I need to know who made what when.
> I'd read a previous answer from Andrew about auditing, so I can see 
> loggued operations.
>
> Modified smb.conf :
>> [global]
>> vfs objects = dfs_samba4, acl_xattr, full_audit
>> full_audit:success =none
>> full_audit:failure = none
>
> share is :
>> [journal]
>>         path = /media/data/journal
>>         read only = No
>>         full_audit:prefix = %u|%I|%S
>>         full_audit:success = mkdir rmdir write rename
>>         full_audit:failure = none
>>         full_audit:facility = local5
>>         full_audit:priority = NOTICE
> But I still got things like this in syslog :
>> Nov  5 15:40:55 serveur smbd_audit: 
>> DOMAIN\romain|10.10.20.209|journal|*pread|ok*|2013-11-04/matin/test.doc
>> Nov  5 15:40:55 serveur smbd_audit: 
>> DOMAIN\romain|10.10.20.209|journal|*aio_force|fail 
>> (Succès)*|2013-11-04/matin/test.doc
>> Nov  5 15:40:55 serveur smbd_audit: 
>> DOMAIN\romain|10.10.20.209|journal|*pread|ok*|2013-11-04/matin/test.doc
>> Nov  5 15:40:55 serveur smbd_audit: 
>> DOMAIN\romain|10.10.20.209|journal|close|ok|2013-11-04/matin/test.doc
>> Nov  5 15:40:55 serveur smbd_audit: 
>> DOMAIN\romain|10.10.20.209|journal|*is_offline|fail (Opération non 
>> supportée)*|2013-11-04/matin/test.doc
>> Nov  5 15:40:55 serveur smbd_audit: 
>> DOMAIN\romain|10.10.20.209|journal|open|ok|w|2013-11-04/matin/test.doc
>> Nov  5 15:40:55 serveur smbd_audit: 
>> DOMAIN\romain|10.10.20.209|journal|is_offline|fail (Opération non 
>> supportée)|2013-11-04/matin/test.doc
>> Nov  5 15:44:46 serveur smbd_audit: 
>> DOMAIN\romain|10.10.20.209|journal|*stat|fail (Aucun fichier ou 
>> dossier de ce type)*|2013-11-04/desktop.ini
>> Nov  5 15:44:46 serveur smbd_audit: 
>> DOMAIN\romain|10.10.20.209|journal|*get_real_filename|fail (Opération 
>> non supportée)*|2013-11-04/desktop.ini->(null)
>> Nov  5 15:44:46 serveur smbd_audit: 
>> DOMAIN\romain|10.10.20.209|journal|opendir|ok|2013-11-04
>> Nov  5 15:44:46 serveur smbd_audit: 
>> DOMAIN\romain|10.10.20.209|journal|*translate_name|fail (Opération 
>> non supportée)*|
> I have googled and found this page ( 
> http://www.samba.org/samba/docs/man/manpages-3/vfs_full_audit.8.html ).
> I don't understand why all theses unwanted VFS operations are loggued.
>
> There might be other solutions to proceed, I'm opened to any suggestion !
> Thanks in advance for your time.
> Nicolas
>
>
It turns out that Samba needs to be *RESTARTED* and not only reloaded to 
take care of these modifications.
Nicolas


More information about the samba mailing list