[Samba] 4.1.0 auditing : can't get only wanted vfs operations to log // solved
me at electronico.nc
me at electronico.nc
Tue Nov 5 00:33:52 MST 2013
Le 05/11/2013 15:54, me at electronico.nc a écrit :
> HI all,
>
> So I'd like to log the user's operations on some shares.
> As I need to know who made what when.
> I'd read a previous answer from Andrew about auditing, so I can see
> loggued operations.
>
> Modified smb.conf :
>> [global]
>> vfs objects = dfs_samba4, acl_xattr, full_audit
>> full_audit:success =none
>> full_audit:failure = none
>
> share is :
>> [journal]
>> path = /media/data/journal
>> read only = No
>> full_audit:prefix = %u|%I|%S
>> full_audit:success = mkdir rmdir write rename
>> full_audit:failure = none
>> full_audit:facility = local5
>> full_audit:priority = NOTICE
> But I still got things like this in syslog :
>> Nov 5 15:40:55 serveur smbd_audit:
>> DOMAIN\romain|10.10.20.209|journal|*pread|ok*|2013-11-04/matin/test.doc
>> Nov 5 15:40:55 serveur smbd_audit:
>> DOMAIN\romain|10.10.20.209|journal|*aio_force|fail
>> (Succès)*|2013-11-04/matin/test.doc
>> Nov 5 15:40:55 serveur smbd_audit:
>> DOMAIN\romain|10.10.20.209|journal|*pread|ok*|2013-11-04/matin/test.doc
>> Nov 5 15:40:55 serveur smbd_audit:
>> DOMAIN\romain|10.10.20.209|journal|close|ok|2013-11-04/matin/test.doc
>> Nov 5 15:40:55 serveur smbd_audit:
>> DOMAIN\romain|10.10.20.209|journal|*is_offline|fail (Opération non
>> supportée)*|2013-11-04/matin/test.doc
>> Nov 5 15:40:55 serveur smbd_audit:
>> DOMAIN\romain|10.10.20.209|journal|open|ok|w|2013-11-04/matin/test.doc
>> Nov 5 15:40:55 serveur smbd_audit:
>> DOMAIN\romain|10.10.20.209|journal|is_offline|fail (Opération non
>> supportée)|2013-11-04/matin/test.doc
>> Nov 5 15:44:46 serveur smbd_audit:
>> DOMAIN\romain|10.10.20.209|journal|*stat|fail (Aucun fichier ou
>> dossier de ce type)*|2013-11-04/desktop.ini
>> Nov 5 15:44:46 serveur smbd_audit:
>> DOMAIN\romain|10.10.20.209|journal|*get_real_filename|fail (Opération
>> non supportée)*|2013-11-04/desktop.ini->(null)
>> Nov 5 15:44:46 serveur smbd_audit:
>> DOMAIN\romain|10.10.20.209|journal|opendir|ok|2013-11-04
>> Nov 5 15:44:46 serveur smbd_audit:
>> DOMAIN\romain|10.10.20.209|journal|*translate_name|fail (Opération
>> non supportée)*|
> I have googled and found this page (
> http://www.samba.org/samba/docs/man/manpages-3/vfs_full_audit.8.html ).
> I don't understand why all theses unwanted VFS operations are loggued.
>
> There might be other solutions to proceed, I'm opened to any suggestion !
> Thanks in advance for your time.
> Nicolas
>
>
It turns out that Samba needs to be *RESTARTED* and not only reloaded to
take care of these modifications.
Nicolas
More information about the samba
mailing list