[Samba] Tracking of SAMBA users activity

Christopher Cox chriscox at endlessnow.com
Tue Nov 12 18:09:17 UTC 2019

What you probably want is the vfs_full_audit module 


         comment = Test Dir
         browseable = Yes
         read only = No
         inherit acls = Yes
         path = /samba/test
         vfs objects = full_audit
         full_audit:prefix = %u|%I
         full_audit:success = connect disconnect

Now, I didn't direct the syslog above, so likely all those messages 
would go to your default log file (e.g. /var/log/messages on many Linux 

Nov 12 12:03:30 samba-test smbd_audit: 
Nov 12 12:04:21 samba-test smbd_audit: 

Obviously, you can do more than just "connect" and "disconnect", see the 
man page referenced at the top.

On 11/12/19 11:38 AM, Jean-Louis Renaud via samba wrote:
> Hello,
> I would like to know if there is a SAMBA feature () that tracks users'
> login/logout (by name and not by IP address) accessing the shares.
> Maybe by using Unix command lines, do you know into which log files these
> information are stored in ?
> ie
> "Share ID" Date Time "Username" logged in
> "Share ID" Date Time "Username" logged off
> ?
> I tried to grep "username" in log files stored in /var/log without results.
> I also tried to use the "log level = 1 auth_audit: 3" option in the smb.conf
> file, reloaded the configuration file in samba "smbcontrol all
> reload-config", restarted the samba server "systemctl restart smbd .service
> " but all log files generated in /var/log/samba are completely empty.
> Thanks

More information about the samba mailing list