[Samba] Samba "vfs_full_audit" Operations
Andrew Walker
walker.aj325 at gmail.com
Sun Jan 24 12:58:09 UTC 2021
On Sat, Jan 23, 2021 at 7:24 PM Christopher Cox via samba <
samba at lists.samba.org> wrote:
> On 1/23/21 11:21 AM, Selahattin CILEK via samba wrote:
> > I am trying to get Samba to log user activity. What should be done is
> clearly
> > explained here:
> >
> > https://www.samba.org/samba/docs/current/man-html/vfs_full_audit.8.html
> >
> > The problem is that Samba sends too much data, and that is a major
> problem for
> > me. Apparently, there are a lot of "operations" going on in the
> background and I
> > don't know which ones to filter. So I am looking for any sort of
> documentation
> > that can enlighten me. I have already Google'd it but nothing useful
> came up.
> >
> > Thanks in advance.
>
> The info presented by vfs_full_audit doesn't translate directly into
> filesystem
> operations as a user might think of them.
>
> With that said, here are the options I use:
>
> vfs objects = full_audit
> full_audit:prefix = %U|%u|%I|%P
> full_audit:success = pwrite rename mknod unlink rmdir mkdir
> sys_acl_set_file
> full_audit:failure = none
> full_audit:facility = LOCAL3
> full_audit:log_secdesc = true
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
Samba 4.12 + you may need to replace with renameat, makenodat, unlinkat,
mkdirat (rmdir is removed and others replaced with handle-based functions).
If a particular VFS operation no longer exists, then full_audit will
default to logging _everything_, which isn't great.
More information about the samba
mailing list