[Samba] vfs_full_audit only files modification
Janusz Bliźniak
jb at tmtwadowice.pl
Fri Oct 8 12:59:18 UTC 2021
W dniu 2021-10-06 o 18:20, Jeremy Allison via samba pisze:
> On Wed, Oct 06, 2021 at 08:13:27AM +0200, Janusz Bliźniak via samba
> wrote:
>> Hello all
>> I would like to monitor which files and only files are really open,
>> create and modify on my samba shares. My bellow configuration would
>> have been works fine if there is a way to exclude information about
>> opening and closing folders. For example when the mouse cursor is
>> over a folder, full_audit logs 'open' operations for every folder
>> inside, Windows probably checks the folders to calculated size and
>> show it in the tool-tip. It is similar with files, it is enough for
>> the mouse to be over the file for full_audit to log the operation
>> e.g. "| share_name | open | ok | r |".
>> I try to log operation:
>> pread, pwirte - but they don't return anything
>> pread_recv, pread_send - works but they generate too much entries,
>> especially when the files are big
>> open, close - generate logs as well for folders
>> create_file - generate too many logs
>>
>> Is there a way to monitor really opened or modified files on samba
>> shares without logging redundant events?
>
> Well the folders *are* really opened, that's the thing.
> At the VFS layer, in order to list a directory (folder)
> it must be opened.
>
> You need to explain exactly what you mean by "really opened"
> in a way that can translate into code.
>
I would like to know which user has opened a file in order to read or
edit it.
I know that the directory where the file is located must be opened, and
that is clear to me
but I would like to exclude this information from the log because there
is a lot of it, which makes the log unreadable.
Below are logs where I opened from Windows 10
/mnt/test/Folder1/Folder1_1/file.ods on the share "/mnt/test/"
I logged only operations: open, opendir
I thought "open" would only appear on files and "opendir" on
directories, but it's different.
Oct 8 12:45:19 srv-test smbd_audit: ...|open|ok|r|/mnt/test
Oct 8 12:45:19 srv-test smbd_audit: ...|open|ok|r|/mnt/test
Oct 8 12:45:19 srv-test smbd_audit: ...|open|ok|r|/mnt/test
Oct 8 12:45:19 srv-test smbd_audit: ...|opendir|ok|.
Oct 8 12:45:19 srv-test smbd_audit: ...|open|ok|r|/mnt/test
Oct 8 12:45:19 srv-test smbd_audit: ...|open|ok|r|/mnt/test
Oct 8 12:45:19 srv-test smbd_audit: ...|open|ok|r|/mnt/test
Oct 8 12:45:19 srv-test smbd_audit: ...|open|ok|r|/mnt/test
Oct 8 12:45:20 srv-test smbd_audit: ...|open|ok|r|/mnt/test/file.odt
Oct 8 12:45:20 srv-test smbd_audit: ...|open|ok|r|/mnt/test/file.odt
Oct 8 12:45:21 srv-test smbd_audit: ...|open|ok|r|/mnt/test/Folder1
Oct 8 12:45:21 srv-test smbd_audit: ...|open|ok|r|/mnt/test/Folder1
Oct 8 12:45:21 srv-test smbd_audit: ...|open|ok|r|/mnt/test/Folder1
Oct 8 12:45:21 srv-test smbd_audit: ...|open|ok|r|/mnt/test/Folder1
Oct 8 12:45:21 srv-test smbd_audit: ...|open|ok|r|/mnt/test/Folder1
Oct 8 12:45:21 srv-test smbd_audit: ...|open|ok|r|/mnt/test/Folder1
Oct 8 12:45:21 srv-test smbd_audit: ...|open|ok|r|/mnt/test/Folder1
Oct 8 12:45:21 srv-test smbd_audit: ...|open|ok|r|/mnt/test/Folder1
Oct 8 12:45:22 srv-test smbd_audit:
...|open|ok|r|/mnt/test/Folder1/Folder1_1
Oct 8 12:45:22 srv-test smbd_audit:
...|open|ok|r|/mnt/test/Folder1/Folder1_1
Oct 8 12:45:22 srv-test smbd_audit:
...|open|ok|r|/mnt/test/Folder1/Folder1_1
Oct 8 12:45:22 srv-test smbd_audit:
...|open|ok|r|/mnt/test/Folder1/Folder1_1
Oct 8 12:45:22 srv-test smbd_audit:
...|open|ok|r|/mnt/test/Folder1/Folder1_1
Oct 8 12:45:22 srv-test smbd_audit:
...|open|ok|r|/mnt/test/Folder1/Folder1_1
Oct 8 12:45:22 srv-test smbd_audit:
...|open|ok|r|/mnt/test/Folder1/Folder1_1
Oct 8 12:45:22 srv-test smbd_audit:
...|open|ok|r|/mnt/test/Folder1/Folder1_1
Oct 8 12:45:23 srv-test smbd_audit:
...|open|ok|r|/mnt/test/Folder1/Folder1_1/file.ods
Oct 8 12:45:23 srv-test smbd_audit: ...|open|ok|r|/mnt/test
Oct 8 12:45:23 srv-test smbd_audit:
...|open|ok|r|/mnt/test/Folder1/Folder1_1
Oct 8 12:45:23 srv-test smbd_audit:
...|open|ok|r|/mnt/test/Folder1/Folder1_1
Oct 8 12:45:23 srv-test smbd_audit:
...|open|ok|r|/mnt/test/Folder1/Folder1_1
Oct 8 12:45:23 srv-test smbd_audit:
...|open|ok|r|/mnt/test/Folder1/Folder1_1
Oct 8 12:45:23 srv-test smbd_audit:
...|open|ok|r|/mnt/test/Folder1/Folder1_1
Oct 8 12:45:23 srv-test smbd_audit: ...|open|ok|r|/mnt/test/Folder1
Oct 8 12:45:23 srv-test smbd_audit:
...|open|ok|w|/mnt/test/Folder1/Folder1_1/file.ods
Oct 8 12:45:23 srv-test smbd_audit: ...|opendir|ok|.
Oct 8 12:45:23 srv-test smbd_audit:
...|open|ok|w|/mnt/test/Folder1/Folder1_1/.~lock.file.ods#
Oct 8 12:45:23 srv-test smbd_audit:
...|open|ok|r|/mnt/test/Folder1/Folder1_1
Oct 8 12:45:23 srv-test smbd_audit:
...|open|ok|r|/mnt/test/Folder1/Folder1_1
Oct 8 12:45:23 srv-test smbd_audit:
...|open|ok|r|/mnt/test/Folder1/Folder1_1/file.ods
Oct 8 12:45:23 srv-test smbd_audit: ...|open|ok|r|/mnt/test
Oct 8 12:45:23 srv-test smbd_audit: ...|open|ok|r|/mnt/test
Oct 8 12:45:23 srv-test smbd_audit:
...|open|ok|r|/mnt/test/Folder1/Folder1_1
Oct 8 12:45:24 srv-test smbd_audit: ...|open|ok|r|/mnt/test
Oct 8 12:45:24 srv-test smbd_audit: ...|open|ok|r|/mnt/test
Oct 8 12:45:24 srv-test smbd_audit: ...|open|ok|r|/mnt/test/Folder1
Oct 8 12:45:24 srv-test smbd_audit: ...|open|ok|r|/mnt/test/Folder1
Oct 8 12:45:24 srv-test smbd_audit:
...|open|ok|r|/mnt/test/Folder1/Folder1_1
Oct 8 12:45:28 srv-test smbd_audit: ...|open|ok|r|/mnt/test
Oct 8 12:45:28 srv-test smbd_audit: ...|open|ok|r|/mnt/test
Oct 8 12:45:28 srv-test smbd_audit: ...|open|ok|r|/mnt/test/Folder1
Oct 8 12:45:28 srv-test smbd_audit: ...|open|ok|r|/mnt/test/Folder1
Oct 8 12:45:28 srv-test smbd_audit:
...|open|ok|r|/mnt/test/Folder1/Folder1_1/.~lock.file.ods#
Oct 8 12:45:28 srv-test smbd_audit:
...|open|ok|r|/mnt/test/Folder1/Folder1_1
Oct 8 12:45:28 srv-test smbd_audit:
...|open|ok|r|/mnt/test/Folder1/Folder1_1
Oct 8 12:45:28 srv-test smbd_audit: ...|open|ok|r|/mnt/test/Folder1
Instead of the above, I would like to get something like this
Oct 8 12:45:23 srv-test smbd_audit:
...|open|ok|r|/mnt/test/Folder1/Folder1_1/file.ods
Oct 8 12:45:23 srv-test smbd_audit:
...|open|ok|w|/mnt/test/Folder1/Folder1_1/file.ods
Oct 8 12:45:23 srv-test smbd_audit:
...|open|ok|w|/mnt/test/Folder1/Folder1_1/.~lock.file.ods#
--
Regards
Janusz
More information about the samba
mailing list