[Samba] Tracking of SAMBA users activity & log files
Jean-Louis Renaud
jean_louis.renaud at yahoo.fr
Thu Nov 14 09:13:12 UTC 2019
Unfortunately logs files are generated in /var/log/samba but they are all
empty, do you know the reason ?
My smb.conf :
[global]
log level = 1 auth_audit:3 vfs:2
log file = /var/log/samba/log.%U.%m
max log size = 1000
logging = syslog
[Share]
vfs objects = full_audit
full_audit:prefix = %u|%I|%m|%P|%S
full_audit:success = connect disconnect
full_audit:success = mkdir rename unlink rmdir pwrite full_audit:failure =
none full_audit:facility = local7 full_audit:priority = NOTICE
My log level is :
PID 24555: all:1 tdb:1 printdrivers:1 lanman:1 smb:1 rpc_parse:1 rpc_srv:1
rpc_cli:1 passdb:1 sam:1 auth:1 winbind:1 vfs:2 idmap:1 quota:1 acls:1
locking:1 msdfs:1 dmapi:1 registry:1 scavenger:1 dns:1 ldb:1 tevent:1
auth_audit:3
-----Message d'origine-----
De : Jean-Louis Renaud <jean_louis.renaud at yahoo.fr> Envoyé : mardi 12
novembre 2019 21:02 À : 'Christopher Cox' <chriscox at endlessnow.com> Objet :
RE: [Samba] Tracking of SAMBA users activity
WHAOU! that's exactly what I was looking for and even more.
thank you very much
-----Message d'origine-----
De : samba <samba-bounces at lists.samba.org> De la part de Christopher Cox via
samba Envoyé : mardi 12 novembre 2019 19:09 À : samba at lists.samba.org
Objet : Re: [Samba] Tracking of SAMBA users activity
What you probably want is the vfs_full_audit module
https://www.samba.org/samba/docs/current/man-html/vfs_full_audit.8.html
Consider:
[test]
comment = Test Dir
browseable = Yes
read only = No
inherit acls = Yes
path = /samba/test
vfs objects = full_audit
full_audit:prefix = %u|%I
full_audit:success = connect disconnect
Now, I didn't direct the syslog above, so likely all those messages would go
to your default log file (e.g. /var/log/messages on many Linux hosts).
Nov 12 12:03:30 samba-test smbd_audit:
MYDOMAIN\ccox|192.168.1.1|connect|ok|test
Nov 12 12:04:21 samba-test smbd_audit:
MYDOMAIN\ccox|192.168.1.1|disconnect|ok|test
Obviously, you can do more than just "connect" and "disconnect", see the man
page referenced at the top.
On 11/12/19 11:38 AM, Jean-Louis Renaud via samba wrote:
> Hello,
>
>
>
> I would like to know if there is a SAMBA feature () that tracks users'
> login/logout (by name and not by IP address) accessing the shares.
> Maybe by using Unix command lines, do you know into which log files
> these information are stored in ?
>
> ie
>
> "Share ID" Date Time "Username" logged in "Share ID" Date Time
> "Username" logged off
>
>
>
> ?
> I tried to grep "username" in log files stored in /var/log without
results.
>
> I also tried to use the "log level = 1 auth_audit: 3" option in the
> smb.conf file, reloaded the configuration file in samba "smbcontrol
> all reload-config", restarted the samba server "systemctl restart smbd
> .service " but all log files generated in /var/log/samba are completely
empty.
>
>
>
> Thanks
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list