[Samba] No Logging for most VFS Operations with full_audit on smbd 4.9.5-Debian
samba at machichemicals.com
Thu Nov 5 20:03:36 UTC 2020
I am running audits on a restricted file share for smbd 4.9.5-Debian. Messages go to syslog via local5. I am mostly interested in file access and modification, plus the occasional failed connect. The only operations that yield any results appear to be 'opendir' and 'open'. Unfortunately, 'open' is chatty to an extend as to render logging useless. I am getting repeated directory access and file readaheads just by opening that share.
My thinking was 'read', 'write', and 'mkdir'; but, again, no logging whatsoever for those operations. Is this by design, or is my setup missing important aspects?
To get started, below a snippet from my 'smb.conf' for the share in question.
path = /srv/AUDIT
read only = No
browseable = No
include = /etc/samba/userconf/%U.audit.conf
valid users = root more users here
vfs objects = acl_xattr full_audit
full_audit:success = open read write mkdir
full_audit:prefix = %u|%I|%m|%S
full_audit:failure = connect
full_audit:facility = local5
full_audit:priority = info
full_audit:syslog = true
More information about the samba