[Samba] Tracking of SAMBA users activity & log files

Jean-Louis Renaud jean_louis.renaud at yahoo.fr
Thu Nov 14 09:13:12 UTC 2019


Unfortunately logs files are generated in /var/log/samba but they are all
empty, do you know the reason ?

My smb.conf :

[global]
log level = 1 auth_audit:3 vfs:2
log file = /var/log/samba/log.%U.%m
max log size = 1000
logging = syslog

[Share]
vfs objects =  full_audit
full_audit:prefix = %u|%I|%m|%P|%S
full_audit:success = connect disconnect
full_audit:success = mkdir rename unlink rmdir pwrite full_audit:failure =
none full_audit:facility = local7 full_audit:priority = NOTICE

My log level is :

PID 24555: all:1 tdb:1 printdrivers:1 lanman:1 smb:1 rpc_parse:1 rpc_srv:1
rpc_cli:1 passdb:1 sam:1 auth:1 winbind:1 vfs:2 idmap:1 quota:1 acls:1
locking:1 msdfs:1 dmapi:1 registry:1 scavenger:1 dns:1 ldb:1 tevent:1
auth_audit:3


-----Message d'origine-----
De : Jean-Louis Renaud <jean_louis.renaud at yahoo.fr> Envoyé : mardi 12
novembre 2019 21:02 À : 'Christopher Cox' <chriscox at endlessnow.com> Objet :
RE: [Samba] Tracking of SAMBA users activity

WHAOU! that's exactly what I was looking for and even more.

thank you very much

-----Message d'origine-----
De : samba <samba-bounces at lists.samba.org> De la part de Christopher Cox via
samba Envoyé : mardi 12 novembre 2019 19:09 À : samba at lists.samba.org
Objet : Re: [Samba] Tracking of SAMBA users activity

What you probably want is the vfs_full_audit module
https://www.samba.org/samba/docs/current/man-html/vfs_full_audit.8.html

Consider:

[test]
         comment = Test Dir
         browseable = Yes
         read only = No
         inherit acls = Yes
         path = /samba/test
         vfs objects = full_audit
         full_audit:prefix = %u|%I
         full_audit:success = connect disconnect

Now, I didn't direct the syslog above, so likely all those messages would go
to your default log file (e.g. /var/log/messages on many Linux hosts).

Nov 12 12:03:30 samba-test smbd_audit: 
MYDOMAIN\ccox|192.168.1.1|connect|ok|test
Nov 12 12:04:21 samba-test smbd_audit: 
MYDOMAIN\ccox|192.168.1.1|disconnect|ok|test

Obviously, you can do more than just "connect" and "disconnect", see the man
page referenced at the top.



On 11/12/19 11:38 AM, Jean-Louis Renaud via samba wrote:
> Hello,
> 
>   
> 
> I would like to know if there is a SAMBA feature () that tracks users'
> login/logout (by name and not by IP address) accessing the shares.
> Maybe by using Unix command lines, do you know into which log files 
> these information are stored in ?
> 
> ie
> 
> "Share ID" Date Time "Username" logged in "Share ID" Date Time 
> "Username" logged off
> 
>   
> 
> ?
> I tried to grep "username" in log files stored in /var/log without
results.
> 
> I also tried to use the "log level = 1 auth_audit: 3" option in the 
> smb.conf file, reloaded the configuration file in samba "smbcontrol 
> all reload-config", restarted the samba server "systemctl restart smbd 
> .service " but all log files generated in /var/log/samba are completely
empty.
> 
> 
> 
> Thanks
> 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba




More information about the samba mailing list