[Samba] full_audit json logging

mj lists at merit.unu.edu
Mon Mar 15 16:07:48 UTC 2021


We're using json logging on the DCs for authentication logging. This 
makes extraction in our log aggregation tool very easy.

We're also using vfs_full_audit logging on the member servers.

The full_audit logs are not json formatted, but look like this:

> 2021-03-15T16:47:39.691012+01:00 memberserver smbd_audit - - -
> IP= | USER=DOM\username | MACHINE=desktop-js8pb3b |
> VOLUME=username|getxattr|fail (No data
> available)|/home/username|user.DOSATTRIB

(i prefixed the generated logs with "IP=%I | MACHINE=%m | VOLUME=%S")

Is there a way to get nice json formatted logs out of the vfs_full_audit 

I read this page, and it does not mention json at all: 

We're on 4.13.5, and of course I can provide a complete smb.conf if 


More information about the samba mailing list