[Samba] full_audit syslog logging question

Wyll Ingersoll wyllys.ingersoll at keepertech.com
Mon Mar 13 17:51:22 UTC 2023 

In case anyone is interested, I found the problem.

I was running samba in a container that did not have any syslog service (rsyslogd or syslog-ng) running.  By default, samba syslog only sends messages to the system's syslog socket and there was nothing listening on it so the messages just got dropped.  I put rsyslogd in the container and configured it to listen on the syslog socket and am now able to forward the logs as desired.

Feature request:  add a syslog logging option in the [global] config section that would allow a syslog destination address:port option to send logs elsewhere without requiring a local syslog daemon to do it.

thanks!

________________________________
From: samba <samba-bounces at lists.samba.org> on behalf of Wyll Ingersoll via samba <samba at lists.samba.org>
Sent: Friday, March 10, 2023 12:59 PM
To: samba at lists.samba.org <samba at lists.samba.org>
Subject: [Samba] full_audit syslog logging question


Running Samba 4.16.4 and having problems getting the vfs_full_audit module to send anything to syslog. I can get it to log to a file, but nothing happens when using syslog only.
Configuration looks like:

[global]
...
log level = 4
log file = /var/log/samba/log.%m
logging = syslog at 4
...

[foobar]
path = /foobar
vfs objects = full_audit streams_xattr acl_xattr
full_audit:priority = INFO
full_audit:facility = local5
full_audit:success = all
full_audit:failure = all
full_audit:prefix = %u|%I|%m|%S|%P



I have monitored the system port 514 with tcpdump and verify that nothing is being sent out even when there is activity on the share (mount/unmount, list directories, write/delete files).   If I switch it to "logging = syslog at 4 file", I can see the full_audit messages show up in the standard log files for each client.

What is the magic that needs to happen to have full_audit actually send out a syslog message?

The goal is to be sending these audit messages to an external log server via rsyslogd configuration but rsyslogd never gets any messages because Samba doesnt appear to be sending anything over syslog (514/udp).

thanks,
  Wyllys Ingersoll




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list