[Samba] Samba Audit Logs
Ethy H. Brito
ethy.brito at inexo.com.br
Sat May 5 14:11:21 UTC 2018
On Sat, 5 May 2018 23:40:47 +1000
Robin G via samba <samba at lists.samba.org> wrote:
...
> full_audit:prefix = %u|%I|%S
> full_audit:failure = none
> full_audit:success = mkdir rmdir read pread write pwrite rename
> unlink
> full_audit:facility = local5
> full_audit:priority = notice
>
>
> The following in /etc/rsyslog.d/00-samba-audit.conf
> local5.notice /var/log/samba/audit.log
> & ~
>
> and the following in /etc/rsyslog.d/50-default.conf
> *.*;auth,authpriv.none -/var/log/syslog
> *.*;local5,auth,authpriv.none -/var/log/syslog
> local5.notice /var/log/samba/audit.log
>
> The samba service and rsyslog have been restarted multiple times
I think you may be missing
vfs objects = full_audit
in each and every share you want to monitor.
Ethy
More information about the samba
mailing list