[Samba] Tracking of SAMBA users activity

Christopher Cox chriscox at endlessnow.com
Tue Nov 12 18:09:17 UTC 2019


What you probably want is the vfs_full_audit module 
https://www.samba.org/samba/docs/current/man-html/vfs_full_audit.8.html

Consider:

[test]
         comment = Test Dir
         browseable = Yes
         read only = No
         inherit acls = Yes
         path = /samba/test
         vfs objects = full_audit
         full_audit:prefix = %u|%I
         full_audit:success = connect disconnect

Now, I didn't direct the syslog above, so likely all those messages 
would go to your default log file (e.g. /var/log/messages on many Linux 
hosts).

Nov 12 12:03:30 samba-test smbd_audit: 
MYDOMAIN\ccox|192.168.1.1|connect|ok|test
Nov 12 12:04:21 samba-test smbd_audit: 
MYDOMAIN\ccox|192.168.1.1|disconnect|ok|test

Obviously, you can do more than just "connect" and "disconnect", see the 
man page referenced at the top.



On 11/12/19 11:38 AM, Jean-Louis Renaud via samba wrote:
> Hello,
> 
>   
> 
> I would like to know if there is a SAMBA feature () that tracks users'
> login/logout (by name and not by IP address) accessing the shares.
> Maybe by using Unix command lines, do you know into which log files these
> information are stored in ?
> 
> ie
> 
> "Share ID" Date Time "Username" logged in
> "Share ID" Date Time "Username" logged off
> 
>   
> 
> ?
> I tried to grep "username" in log files stored in /var/log without results.
> 
> I also tried to use the "log level = 1 auth_audit: 3" option in the smb.conf
> file, reloaded the configuration file in samba "smbcontrol all
> reload-config", restarted the samba server "systemctl restart smbd .service
> " but all log files generated in /var/log/samba are completely empty.
> 
> 
> 
> Thanks
> 



More information about the samba mailing list