[Samba] No Logging for most VFS Operations with full_audit on smbd 4.9.5-Debian

Thu Nov 5 20:03:36 UTC 2020

Greetings,

I am running audits on a restricted file share for smbd 4.9.5-Debian. Messages go to syslog via local5. I am mostly interested in file access and modification, plus the occasional failed connect. The only operations that yield any results appear to be 'opendir' and 'open'. Unfortunately, 'open' is chatty to an extend as to render logging useless. I am getting repeated directory access and file readaheads just by opening that share.

My thinking was 'read', 'write', and 'mkdir'; but, again, no logging whatsoever for those operations. Is this by design, or is my setup missing important aspects?

To get started, below a snippet from my 'smb.conf' for the share in question.

TIA

Mike

<---

[AUDIT]

                path = /srv/AUDIT
                read only = No
                browseable = No
                include = /etc/samba/userconf/%U.audit.conf
                valid users = root more users here
                vfs objects = acl_xattr full_audit
                full_audit:success = open read write mkdir
                full_audit:prefix = %u|%I|%m|%S
                full_audit:failure = connect
                full_audit:facility = local5
                full_audit:priority = info
                full_audit:syslog = true

--->