Sorry, this is a real noob question I'm sure. I am trying to log full_audit on my samba windows shares so I know who is creating, deleting, renaming, moving etc. files and directories in the samba/windows share.
In my etc/samba/smb.conf file, under [global] I have:
# Audit settings
full_audit: prefix = %u|%I|%S
full_audit:failure = connect
full_audit:success = connect disconnect opendir mkdir rmdir closedir open close read pread write pwrite sendfile rename unlink chmodfchmod chown fchown chdir ftruncate lock symlink readlink link mknod realpath
full_audit:facility = local5
full_audit: priority = notice
And under my [file share name] I have:
vfs object = full_audit
I created a new file in etc/rsyslog.d called 00-samba-audit.conf with these two lines in:
And in the file /etc/rsyslog.d/50-default.conf I changed the following line:
with this below it:
I then restarted samba and rsyslog. (This all comes from this web page: http://a32.me/2009/10/samba-audit-trail/)It
creates the audit.log file in my /var/log/samba/ directory but nothing else happens; it remains empty.
What am I doing wrong?! I would be really grateful if someone could help me to audit my windows/samba share so I know who is creating, moving, deleting, renaming files etc.
Would be hugely grateful if anyone could help me?!