[Samba] Samba Audit Logs
Robin G
robinghere3 at gmail.com
Sun May 6 14:29:10 UTC 2018
Hi Rowland,
Thank you.
I tried both options. The following is using option 2
[global]
vfs objects = full_audit
[homes]
create mask = 0700
directory mask = 0700
browseable = No
read only = No
path = %H
full_audit:prefix = %u|%I|%S
full_audit:failure = none
full_audit:success = mkdir rmdir read pread write pwrite rename
unlink
full_audit:facility = local5
full_audit:priority = notice
and then did the tail -f audit.log , after restarting the smbd , nmbd and
rsyslog (which generated the audit.log file), nothing is being recorded. I
see some stuff in the log.machinename like
[2018/05/02 20:43:50.191504, 2] smbd/dosmode.c:114(unix_mode)
unix_mode(New folder (2)) inherit mode 40777
but not the audit.log
Just confirming, the /etc/rsyslog.d/00-samba-audit.conf
local5.notice /var/log/samba/audit.log
&~
cat /etc/rsyslog.d/50-default.conf
*.*;local5,auth,authpriv.none -/var/log/syslog
local5.notice /var/log/samba/audit.log
#cron.* /var/log/cron.log
#daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
#lpr.* -/var/log/lpr.log
mail.* -/var/log/mail.log
#user.* -/var/log/user.log
news.crit /var/log/news/news.crit
news.err /var/log/news/news.err
news.notice -/var/log/news/news.notice
The /etc/rsyslog.conf has the following
#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf
Am I missing something. The samba box in question is 4.3.x but I have also
tried this in an old Samba box (3.6.x)
On Sun, May 6, 2018 at 8:27 PM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Sun, 6 May 2018 20:05:20 +1000
> Robin G <robinghere3 at gmail.com> wrote:
>
> > Hi Rowland,
> > here is the smb.conf. All shares have the full_audit
> >
> > [global]
> > workgroup = RESOLVS
> > netbios name = DC1
> > security = USER
> > obey pam restrictions = yes
> > local master = yes
> > domain master = yes
> > preferred master = yes
> > domain logons = yes
> > os level = 50
> > ####
> >
> > LDAP definitions
>
> What LDAP definitions ???
>
> >
> > ####
> >
> > ### Logging
> >
> > syslog = 0
> > log file = /var/log/samba/%m
> > Log level = 0 vfs:0
> > max log size = 0
> > full_audit:prefix = %u|%I|%S
> > full_audit:failure = none
> > full_audit:success = mkdir rmdir read pread write pwrite
> > rename unlink
> > full_audit:facility = local5
> > full_audit:priority = notice
> >
> >
> > [homes]
> > create mask = 0700
> > directory mask = 0700
> > browseable = No
> > read only = No
> > path = %H
> > vfs objects = full_audit
> >
> > [data]
> > path = /srv/data
> > force group = allusers
> > read only = No
> > inherit permissions = Yes
> > hide unreadable = Yes
> > vfs objects = full_audit
> >
> >
>
> Try it like this:
>
> [global]
> .......
> .....
> ...
> vfs objects = full_audit
> full_audit:prefix = %u|%I|%S
> full_audit:failure = none
> full_audit:success = mkdir rmdir read pread write pwrite rename
> unlink
> full_audit:facility = local5
> full_audit:priority = notice
>
> or like this:
>
> [global]
> .......
> .....
> ...
> vfs objects = full_audit
>
> [homes]
> create mask = 0700
> directory mask = 0700
> browseable = No
> read only = No
> path = %H
> full_audit:prefix = %u|%I|%S
> full_audit:failure = none
> full_audit:success = mkdir rmdir read pread write pwrite rename
> unlink
> full_audit:facility = local5
> full_audit:priority = notice
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list