[Samba] vfs_full_audit only files modification

Jeremy Allison jra at samba.org
Fri Oct 8 17:25:00 UTC 2021

On Fri, Oct 08, 2021 at 02:59:18PM +0200, Janusz Bliźniak via samba wrote:
>>in a way that can translate into code.
>I would like to know which user has opened a file in order to read or 
>edit it.
>I know that the directory where the file is located must be opened, 
>and that is clear to me
>but I would like to exclude this information from the log because 
>there is a lot of it, which makes the log unreadable.
>Below are logs where I opened from Windows 10 
>/mnt/test/Folder1/Folder1_1/file.ods on the  share "/mnt/test/"
>I logged only operations: open, opendir
>I thought "open" would only appear on files and "opendir" on 
>directories, but it's different.
>Instead of the above, I would like to get something like this
>Oct  8 12:45:23 srv-test smbd_audit: 
>Oct  8 12:45:23 srv-test smbd_audit: 
>Oct  8 12:45:23 srv-test smbd_audit: 

I don't think out of the box autit is going to
do that for you. You could do a simple code change
to smb_full_audit_openat() to only log opens if
O_DIRECTORY is not set in the flags parameter.

More information about the samba mailing list