[Samba] full_audit logs way too much
Kees van Vloten
keesvanvloten at gmail.com
Wed Jun 15 15:26:06 UTC 2022
Hi Team,
I have enabled full_audit logging on a (domain-member) file-server
(running 4.15.7 from Louis on Bullseye)
[global]
log level = 3
full_audit:success = pwrite write rename
full_audit:failure = none
full_audit:prefix = samba: IP=%I|USER=%u|MACHINE=%m|VOLUME=%S
full_audit:facility = local7
full_audit:priority = NOTICE
<many other settings>
[home]
comment = Home directory
path = /srv/samba/home
write list = @acl-smb_share_user_home-full
read list =
force create mode = 0600
force directory mode = 0700
vfs objects = acl_xattr streams_xattr recycle full_audit
recycle:keeptree = yes
recycle:versions = yes
<more shares identical vfs object settings>
Instead of only "full_audit:success = pwrite write rename", I see
everything being logged, as a result the log file is rapidly growing and
perhaps this much logging poses a performance hit on file access over
the shares.
Jun 15 17:04:51 smbserver smbd_audit: samba:
IP=10.10.10.10|USER=SAMDOM\user|MACHINE=10.10.10.10|VOLUME=home|stat|ok|/srv/samba/home/user/Thunderbird/Profiles/0jfaiuerm.default-release
Jun 15 17:04:51 smbserver smbd_audit: samba:
IP=10.10.10.10|USER=SAMDOM\user|MACHINE=10.10.10.10|VOLUME=home|stat|ok|/srv/samba/home
Jun 15 17:04:51 smbserver smbd_audit: samba:
IP=10.10.10.10|USER=SAMDOM\user|MACHINE=10.10.10.10|VOLUME=home|file_id_create|ok|64780:2:0
Jun 15 17:04:51 smbserver smbd_audit: samba:
IP=10.10.10.10|USER=SAMDOM\user|MACHINE=10.10.10.10|VOLUME=home|stat|ok|/srv/samba/home
Jun 15 17:04:51 smbserver smbd_audit: samba:
IP=10.10.10.10|USER=SAMDOM\user|MACHINE=10.10.10.10|VOLUME=home|chdir|ok|chdir|/srv/samba/home/user/Thunderbird/Profiles/0jfaiuerm.default-release
Jun 15 17:04:51 smbserver smbd_audit: samba:
IP=10.10.10.10|USER=SAMDOM\user|MACHINE=10.10.10.10|VOLUME=home|stat|ok|/srv/samba/home
Jun 15 17:04:51 smbserver smbd_audit: samba:
IP=10.10.10.10|USER=SAMDOM\user|MACHINE=10.10.10.10|VOLUME=home|file_id_create|ok|64780:7340395:0
Jun 15 17:04:51 smbserver smbd_audit: samba:
IP=10.10.10.10|USER=SAMDOM\user|MACHINE=10.10.10.10|VOLUME=home|stat|ok|/srv/samba/home/user/Thunderbird/Profiles/0jfaiuerm.default-release
Jun 15 17:04:51 smbserver smbd_audit: samba:
IP=10.10.10.10|USER=SAMDOM\user|MACHINE=10.10.10.10|VOLUME=home|realpath|ok|/srv/samba/home/user/Thunderbird/Profiles/0jfaiuerm.default-release
Jun 15 17:04:51 smbserver smbd_audit: samba:
IP=10.10.10.10|USER=SAMDOM\user|MACHINE=10.10.10.10|VOLUME=home|connectpath|ok|/srv/samba/home/user/Thunderbird/Profiles/0jfaiuerm.default-release
Jun 15 17:04:51 smbserver smbd_audit: samba:
IP=10.10.10.10|USER=SAMDOM\user|MACHINE=10.10.10.10|VOLUME=home|openat|ok|r|/srv/samba/home/user/Thunderbird/Profiles/0jfaiuerm.default-release
Jun 15 17:04:51 smbserver smbd_audit: samba:
IP=10.10.10.10|USER=SAMDOM\user|MACHINE=10.10.10.10|VOLUME=home|fstat|ok|/srv/samba/home/user/Thunderbird/Profiles/0jfaiuerm.default-release
Jun 15 17:04:51 smbserver smbd_audit: samba:
IP=10.10.10.10|USER=SAMDOM\user|MACHINE=10.10.10.10|VOLUME=home|chdir|ok|chdir|/srv/samba/home
Jun 15 17:04:51 smbserver smbd_audit: samba:
IP=10.10.10.10|USER=SAMDOM\user|MACHINE=10.10.10.10|VOLUME=home|stat|ok|/srv/samba/home/user/Thunderbird/Profiles/0jfaiuerm.default-release
Jun 15 17:04:51 smbserver smbd_audit: samba:
IP=10.10.10.10|USER=SAMDOM\user|MACHINE=10.10.10.10|VOLUME=home|file_id_create|ok|64780:2:0
Jun 15 17:04:51 smbserver smbd_audit: samba:
IP=10.10.10.10|USER=SAMDOM\user|MACHINE=10.10.10.10|VOLUME=home|stat|ok|/srv/samba/home
Jun 15 17:04:51 smbserver smbd_audit: samba:
IP=10.10.10.10|USER=SAMDOM\user|MACHINE=10.10.10.10|VOLUME=home|file_id_create|ok|64780:7340395:0
Jun 15 17:04:51 smbserver smbd_audit: samba:
IP=10.10.10.10|USER=SAMDOM\user|MACHINE=10.10.10.10|VOLUME=home|close|ok|/srv/samba/home/user/Thunderbird/Profiles/0jfaiuerm.default-release
Is there a mistake in the configuration?
Or is it expected behaviour?
Or perhaps a bug in 4.15.7?
- Kees
More information about the samba
mailing list