[Samba] vfs_full_audit log question
d tbsky
tbskyd at gmail.com
Tue Sep 12 01:33:32 UTC 2023
Kees van Vloten via samba <samba at lists.samba.org>
> You have already set it to log to rsyslog to the local5 facility, all
> you have to do is configure rsyslog to write samba audit logs to
> /var/log/samba/audit.log. Put something like this:
>
> :programname, startswith, "smbd_audit" {
> -/var/log/samba/audit_smb.log
> stop
> }
>
>
> in /etc/rsyslog.d/samba_audit_smb.conf and restart rsyslog (disclaimer
> this is tested on debian, I don't have redhat)
>
> If it is still too noisy you add additional filtering in the rsyslog
> conf file.
Hi:
currently I already have similar rsyslog settings to
/var/log/samba/audit.log.
debian or rhel, both goto to journald to rsyslog to the file. it makes
huge useless data at journald. I also need to take care of rate
limiting settings both for journald and rsyslog. but it seems the only
way to filter the log data. is there something I can do with the
samba direct writing configuration:
log level = 1 full_audit:1@/var/log/samba/audit.log
can I piple data to custom script so I can filter out the redundant
"../../source3/modules/vfs_full_audit.c:640(do_log)" at every entry ?
More information about the samba
mailing list