[Samba] A lot of messages in full_audit log
Rowland Penny
rowlandpenny at googlemail.com
Sun Jan 4 10:47:04 MST 2015
On 04/01/15 16:30, Thiago Tenório wrote:
> Hi,
>
> I'm using full_audit vfs module and I'm seeing a lot of duplicated messages
> in log file. Why does it happens ?
> How can I configure de smb.conf not to log duplicated information ?
>
> Duplicated log:
>
> Jan 4 13:27:50 server smbd_audit: [2015/01/04
> 13:27:50|semirames|samba-admin|192.168.0.3|setores]|pread|ok|Atendimento/James.txt
> Jan 4 13:27:50 server smbd_audit: [2015/01/04
> 13:27:50|semirames|samba-admin|192.168.0.3|setores]|pread|ok|Atendimento/James.txt
> Jan 4 13:27:50 server smbd_audit: [2015/01/04
> 13:27:50|semirames|samba-admin|192.168.0.3|setores]|pread|ok|Atendimento/James.txt
> Jan 4 13:27:50 server smbd_audit: [2015/01/04
> 13:27:50|semirames|samba-admin|192.168.0.3|setores]|pread|ok|Atendimento/James.txt
>
> My smb.conf:
>
> # Global parameters
> [global]
> workgroup = BASE
> realm = BASE.LOCAL
> netbios name = SERVER
> server role = active directory domain controller
> dns forwarder = 192.168.0.3
>
> smb ports = 139
>
> vfs objects = acl_xattr full_audit
> full_audit:prefix = [%T|%U|%m|%I|%S]
> full_audit:success = connect mkdir rmdir rename unlink fset_nt_acl
> fsetxattr pread pwrite
> full_audit:failure = none
> full_audit:facility = local1
> full_audit:priority = debug
>
> [...]
>
>
OK, if your realm really does end in .local, this makes you number 4
this week, you should not use .local, see the wiki.
also by adding 'vfs objects = acl_xattr full_audit' to smb.conf you have
turned off 'dfs_samba4', the correct line should be:
''vfs objects = dfs_samba4, acl_xattr, full_audit'
You need to add to the default line or you turn off the defaults.
Unfortunately, I do think 'full_audit' works with a samba4 AD DC.
Rowland
More information about the samba
mailing list