[Samba] vfs_full_audit only files modification
Janusz Bliźniak
jb at tmtwadowice.pl
Wed Oct 6 06:13:27 UTC 2021
Hello all
I would like to monitor which files and only files are really open,
create and modify on my samba shares. My bellow configuration would have
been works fine if there is a way to exclude information about opening
and closing folders. For example when the mouse cursor is over a
folder, full_audit logs 'open' operations for every folder inside,
Windows probably checks the folders to calculated size and show it in
the tool-tip. It is similar with files, it is enough for the mouse to be
over the file for full_audit to log the operation e.g. "| share_name |
open | ok | r |".
I try to log operation:
pread, pwirte - but they don't return anything
pread_recv, pread_send - works but they generate too much entries,
especially when the files are big
open, close - generate logs as well for folders
create_file - generate too many logs
Is there a way to monitor really opened or modified files on samba
shares without logging redundant events?
My Samba version is Samba 4.11.2 and config
vfs object = full_audit
full_audit:prefix = %u|%I|%m%|%S|%R
full_audit:success = read write mkdir unlink rmdir rename open close
full_audit:failure = none
full_audit:facility = local7
full_audit:priority = notice
Sorry for my English
-------------------------------------------------
Best regards
Janusz
More information about the samba
mailing list