[Samba] No Logging for most VFS Operations with full_audit on smbd 4.9.5-Debian
Mike Ruebner
samba at machichemicals.com
Thu Nov 5 20:03:36 UTC 2020
Greetings,
I am running audits on a restricted file share for smbd 4.9.5-Debian. Messages go to syslog via local5. I am mostly interested in file access and modification, plus the occasional failed connect. The only operations that yield any results appear to be 'opendir' and 'open'. Unfortunately, 'open' is chatty to an extend as to render logging useless. I am getting repeated directory access and file readaheads just by opening that share.
My thinking was 'read', 'write', and 'mkdir'; but, again, no logging whatsoever for those operations. Is this by design, or is my setup missing important aspects?
To get started, below a snippet from my 'smb.conf' for the share in question.
TIA
Mike
<---
[AUDIT]
path = /srv/AUDIT
read only = No
browseable = No
include = /etc/samba/userconf/%U.audit.conf
valid users = root more users here
vfs objects = acl_xattr full_audit
full_audit:success = open read write mkdir
full_audit:prefix = %u|%I|%m|%S
full_audit:failure = connect
full_audit:facility = local5
full_audit:priority = info
full_audit:syslog = true
--->
More information about the samba
mailing list