[Samba] Samba "vfs_full_audit" Operations
Christopher Cox
chriscox at endlessnow.com
Sat Jan 23 23:07:00 UTC 2021
On 1/23/21 11:21 AM, Selahattin CILEK via samba wrote:
> I am trying to get Samba to log user activity. What should be done is clearly
> explained here:
>
> https://www.samba.org/samba/docs/current/man-html/vfs_full_audit.8.html
>
> The problem is that Samba sends too much data, and that is a major problem for
> me. Apparently, there are a lot of "operations" going on in the background and I
> don't know which ones to filter. So I am looking for any sort of documentation
> that can enlighten me. I have already Google'd it but nothing useful came up.
>
> Thanks in advance.
The info presented by vfs_full_audit doesn't translate directly into filesystem
operations as a user might think of them.
With that said, here are the options I use:
vfs objects = full_audit
full_audit:prefix = %U|%u|%I|%P
full_audit:success = pwrite rename mknod unlink rmdir mkdir
sys_acl_set_file
full_audit:failure = none
full_audit:facility = LOCAL3
full_audit:log_secdesc = true
More information about the samba
mailing list