[Samba] Samba Audit Logs

Robin G robinghere3 at gmail.com
Sun May 6 10:05:20 UTC 2018 

Hi Rowland,
here is the smb.conf. All shares have the full_audit

[global]
    workgroup = RESOLVS
        netbios name = DC1
        security = USER
        obey pam restrictions = yes
        local master = yes
        domain master = yes
        preferred master = yes
        domain logons = yes
        os level = 50
####

LDAP definitions

####

### Logging

    syslog = 0
    log file = /var/log/samba/%m
    Log level = 0 vfs:0
    max log size = 0
    full_audit:prefix = %u|%I|%S
        full_audit:failure = none
        full_audit:success = mkdir rmdir read pread write pwrite rename
unlink
        full_audit:facility = local5
        full_audit:priority = notice


[homes]
        create mask = 0700
        directory mask = 0700
        browseable = No
        read only = No
        path = %H
        vfs objects = full_audit

[data]
        path = /srv/data
        force group = allusers
        read only = No
        inherit permissions = Yes
        hide unreadable = Yes
        vfs objects = full_audit


Regards,

Rob






On Sun, May 6, 2018 at 12:20 AM, Rowland Penny via samba <
samba at lists.samba.org> wrote:

> On Sat, 5 May 2018 11:11:21 -0300
> "Ethy H. Brito via samba" <samba at lists.samba.org> wrote:
>
> > On Sat, 5 May 2018 23:40:47 +1000
> > Robin G via samba <samba at lists.samba.org> wrote:
> >
> > ...
> >
> >
> > > full_audit:prefix = %u|%I|%S
> > >         full_audit:failure = none
> > >         full_audit:success = mkdir rmdir read pread write pwrite
> > > rename unlink
> > >         full_audit:facility = local5
> > >         full_audit:priority = notice
> > >
> > >
> > > The following in /etc/rsyslog.d/00-samba-audit.conf
> > > local5.notice /var/log/samba/audit.log
> > > & ~
> > >
> > > and the following in /etc/rsyslog.d/50-default.conf
> > > *.*;auth,authpriv.none           -/var/log/syslog
> > > *.*;local5,auth,authpriv.none           -/var/log/syslog
> > > local5.notice /var/log/samba/audit.log
> > >
> > > The samba service and rsyslog have been restarted multiple times
> >
> >
> > I think you may be missing
> >
> >       vfs objects = full_audit
> >
> > in each and every share you want to monitor.
> >
> > Ethy
> >
> >
>
> You are guessing there and this isn't surprising, as the OP didn't give
> us the main piece of evidence, their smb.conf. Without this, anything
> suggested would be a guess.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list