[Samba] Samba Audit Logs
Rowland Penny
rpenny at samba.org
Sat May 5 14:20:18 UTC 2018
On Sat, 5 May 2018 11:11:21 -0300
"Ethy H. Brito via samba" <samba at lists.samba.org> wrote:
> On Sat, 5 May 2018 23:40:47 +1000
> Robin G via samba <samba at lists.samba.org> wrote:
>
> ...
>
>
> > full_audit:prefix = %u|%I|%S
> > full_audit:failure = none
> > full_audit:success = mkdir rmdir read pread write pwrite
> > rename unlink
> > full_audit:facility = local5
> > full_audit:priority = notice
> >
> >
> > The following in /etc/rsyslog.d/00-samba-audit.conf
> > local5.notice /var/log/samba/audit.log
> > & ~
> >
> > and the following in /etc/rsyslog.d/50-default.conf
> > *.*;auth,authpriv.none -/var/log/syslog
> > *.*;local5,auth,authpriv.none -/var/log/syslog
> > local5.notice /var/log/samba/audit.log
> >
> > The samba service and rsyslog have been restarted multiple times
>
>
> I think you may be missing
>
> vfs objects = full_audit
>
> in each and every share you want to monitor.
>
> Ethy
>
>
You are guessing there and this isn't surprising, as the OP didn't give
us the main piece of evidence, their smb.conf. Without this, anything
suggested would be a guess.
Rowland
More information about the samba
mailing list