[Samba] vfs_full_audit only files modification
Janusz Bliźniak
jb at tmtwadowice.pl
Sun Oct 10 15:51:02 UTC 2021
W dniu 2021-10-08 o 19:25, Jeremy Allison pisze:
> On Fri, Oct 08, 2021 at 02:59:18PM +0200, Janusz Bliźniak via samba
> wrote:
>>> in a way that can translate into code.
>>>
>> I would like to know which user has opened a file in order to read or
>> edit it.
>> I know that the directory where the file is located must be opened,
>> and that is clear to me
>> but I would like to exclude this information from the log because
>> there is a lot of it, which makes the log unreadable.
>> Below are logs where I opened from Windows 10
>> /mnt/test/Folder1/Folder1_1/file.ods on the share "/mnt/test/"
>> I logged only operations: open, opendir
>> I thought "open" would only appear on files and "opendir" on
>> directories, but it's different.
>>
>> Instead of the above, I would like to get something like this
>>
>> Oct 8 12:45:23 srv-test smbd_audit:
>> ...|open|ok|r|/mnt/test/Folder1/Folder1_1/file.ods
>> Oct 8 12:45:23 srv-test smbd_audit:
>> ...|open|ok|w|/mnt/test/Folder1/Folder1_1/file.ods
>> Oct 8 12:45:23 srv-test smbd_audit:
>> ...|open|ok|w|/mnt/test/Folder1/Folder1_1/.~lock.file.ods#
>
> I don't think out of the box autit is going to
> do that for you. You could do a simple code change
> to smb_full_audit_openat() to only log opens if
> O_DIRECTORY is not set in the flags parameter.
Thanks for help, I'll try do this.
--
Regards
Janusz
More information about the samba
mailing list