[Samba] Logging configuration

Andrew Walker walker.aj325 at gmail.com
Fri Mar 26 12:19:42 UTC 2021 

On Fri, Mar 26, 2021 at 6:45 AM Remy Zandwijk via samba <
samba at lists.samba.org> wrote:

> Hi Anders,
>
> You have a typo in the config:
>
>         full_audit:failiure = connect mkdir rmdir open read write
>
> Which should be:
>
>         full_audit:failure = connect mkdir rmdir open read write
>
>
> -Remy
>
>
>
> > On 26 Mar 2021, at 09:51, Anders Östling via samba <
> samba at lists.samba.org> wrote:
> >
> > Hi
> > I am fighting with the different logging options, connected to using
> syslog-ng for collecting logs for 2 DC’s and 1 FS into a single log
> repository.
> > I have the syslog-ng repo up and running, and syslog-ng installed and
> configured (I think) on the clients. However, I have two issues, one samba
> and one non-samba related.
> >
> > The client (FS and DC in this case) logs to syslog but does not forward
> to the sink. Probably a misconfig by me, but I have tried to follow
> existing guides and man pages.
> >
> >       /etc/syslog-ng/syslog-ng.conf
> >
> >         ...
> >          destination d_tcp { tcp(10.0.100.14 port(1234) localport(999));
> };
> >        log { source(s_src); destination(d_tcp); };
> >
> > Selecting relevant logging from Samba (FS and DC). What I am most
> interested in is all kind of failures of course, but also successful
> authentications, file creation and deletion. I have played with some
> settings from the man page smb.conf, but they volume of logging is
> overwhelming. Just about 200 entries for clicking on a folder :). My hope
> is that someone has been able to find a good mix of logging options and
> levels, and can share them here!
> >
> > [global]
> >         logging = syslog at 5
> >         log level = 1 auth:2 auth_audit:5 winbind:1 passdb:4 vfs:1
> >
> > [users]
> >         vfs objects = full_audit
> >         full_audit:prefix=%u:%I:%S
> >         full_audit:failiure = connect mkdir rmdir open read write
> >         full_audit:success = connect
> >         full_audit:facility = local5
> >
> > Best regards
> >
> > Anders Östling
> >
> > Dämmegatan 11
> > SE-25442 Helsingborg
> > Sweden
> > Phone: +46 768 716 165
> > Skype: anders.ostling at outlook.com
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba


What version of samba is this? Depending on samba version the vfs functions
may be differently named (or not exist). If this is Samba 4.12 for
instance,  you will need:
        full_audit:failure = connect mkdirat open read write

vfs_full_audit is incredibly annoying in that it goes full-bore on logging
when there are typos. I think it'd be more sensible to simply deny access
during tree connect and print the offending parameter at DBG_ERR().

More information about the samba mailing list