[Samba] No Logging for most VFS Operations with full_audit on smbd 4.9.5-Debian

Mike Ruebner samba at machichemicals.com
Thu Nov 5 20:03:36 UTC 2020


I am running audits on a restricted file share for smbd 4.9.5-Debian. Messages go to syslog via local5. I am mostly interested in file access and modification, plus the occasional failed connect. The only operations that yield any results appear to be 'opendir' and 'open'. Unfortunately, 'open' is chatty to an extend as to render logging useless. I am getting repeated directory access and file readaheads just by opening that share.

My thinking was 'read', 'write', and 'mkdir'; but, again, no logging whatsoever for those operations. Is this by design, or is my setup missing important aspects?

To get started, below a snippet from my 'smb.conf' for the share in question.





                path = /srv/AUDIT
                read only = No
                browseable = No
                include = /etc/samba/userconf/%U.audit.conf
                valid users = root more users here
                vfs objects = acl_xattr full_audit
                full_audit:success = open read write mkdir
                full_audit:prefix = %u|%I|%m|%S
                full_audit:failure = connect
                full_audit:facility = local5
                full_audit:priority = info
                full_audit:syslog = true


More information about the samba mailing list