[Samba] Samba Audit Logs

[Rowland Penny]

On Sun, 6 May 2018 20:05:20 +1000
Robin G <robinghere3 at gmail.com> wrote:

> Hi Rowland,
> here is the smb.conf. All shares have the full_audit
> 
> [global]
>     workgroup = RESOLVS
>         netbios name = DC1
>         security = USER
>         obey pam restrictions = yes
>         local master = yes
>         domain master = yes
>         preferred master = yes
>         domain logons = yes
>         os level = 50
> ####
> 
> LDAP definitions

What LDAP definitions ???

> 
> ####
> 
> ### Logging
> 
>     syslog = 0
>     log file = /var/log/samba/%m
>     Log level = 0 vfs:0
>     max log size = 0
>     full_audit:prefix = %u|%I|%S
>         full_audit:failure = none
>         full_audit:success = mkdir rmdir read pread write pwrite
> rename unlink
>         full_audit:facility = local5
>         full_audit:priority = notice
> 
> 
> [homes]
>         create mask = 0700
>         directory mask = 0700
>         browseable = No
>         read only = No
>         path = %H
>         vfs objects = full_audit
> 
> [data]
>         path = /srv/data
>         force group = allusers
>         read only = No
>         inherit permissions = Yes
>         hide unreadable = Yes
>         vfs objects = full_audit
> 
> 

Try it like this:

[global]
.......
.....
...
        vfs objects = full_audit
        full_audit:prefix = %u|%I|%S
        full_audit:failure = none
        full_audit:success = mkdir rmdir read pread write pwrite rename unlink
        full_audit:facility = local5
        full_audit:priority = notice

or like this:

[global]
.......
.....
...
        vfs objects = full_audit

[homes]
        create mask = 0700
        directory mask = 0700
        browseable = No
        read only = No
        path = %H
        full_audit:prefix = %u|%I|%S
        full_audit:failure = none
        full_audit:success = mkdir rmdir read pread write pwrite rename unlink
        full_audit:facility = local5
        full_audit:priority = notice

Rowland