[Samba] vfs_full_audit log question

d tbsky tbskyd at gmail.com
Tue Sep 12 01:33:32 UTC 2023

Kees van Vloten via samba <samba at lists.samba.org>

> You have already set it to log to rsyslog to the local5 facility, all
> you have to do is configure rsyslog to write samba audit logs to
> /var/log/samba/audit.log. Put something like this:
> :programname, startswith, "smbd_audit" {
>   -/var/log/samba/audit_smb.log
>   stop
> }
> in /etc/rsyslog.d/samba_audit_smb.conf and restart rsyslog (disclaimer
> this is tested on debian, I don't have redhat)
> If it is still too noisy you add additional filtering in the rsyslog
> conf file.

   currently I already have similar rsyslog settings to
debian or rhel, both goto to journald to rsyslog to the file. it makes
huge useless data at journald.  I also need to take care of rate
limiting settings both for journald and rsyslog. but it seems the only
way to filter the log data.  is there something I can do with the
samba direct writing configuration:

log level = 1 full_audit:1@/var/log/samba/audit.log

can I piple data to custom script so I can filter out the redundant
"../../source3/modules/vfs_full_audit.c:640(do_log)" at every entry ?

More information about the samba mailing list