[Samba] Correct configuration for audit options in smb.conf

Pablo Sanz Fernández psanz at empre.es
Fri Apr 24 09:35:46 UTC 2020


We are enabling audit options in Samba 4.9.13 with the smb.conf file.

The full_audit part is working properly, and we see the events in the log file. But the "dsdb" audit options is not working at all, neither local or syslog-ng.

For the full_audit we are using the "level5" facility to redirect it with thw syslog-ng to another server, and we would like to do the same with the "dsdb".

How can we configure those options? What are we doing wrong?

Here I copy partially smb.conf:

        vfs objects = full_audit
        full_audit:prefix = %u|%D|%I|%m|%S|%R
        full_audit:success = mkdir rename unlink rmdir pwrite pread connect disconnect
        full_audit:failure = mkdir rename unlink rmdir pwrite pread connect disconnect
        full_audit:facility = local5
        full_audit:priority = INFO

        max log size = 10000

        dsdb event notification = yes
        dsdb group change notification = yes
        dsdb password event notification = yes

        log file = /usr/local/samba/var/log/%U.%m.log
        log level = 1 dsdb_audit:5@/usr/local/samba/var/log/audit.log dsdb_transaction_audit:5@/usr/local/samba/var/log/audit.log dsdb_password_audit:5@/usr/local/samba/var/log/audit.log dsdb_group_audit:5@/usr/local/samba/var/log/audit.log


Pablo Sanz Fernández

More information about the samba mailing list