I am using samba to provide shares to users. Sometimes a users claims their files have mysteriously disappeared so I am keen to track deletions.
Thus I set up full audit.
Everything works, except the audit log is often missing the file name or has some sort of mystery code. For example;
Code:
Dec 12 17:46:04 server1 smbd_audit:
shared|shared|192.168.x.x|matt1|shared|2016/12/12
17:46:04|server1|file_id_create|ok|802:28200da:0
The file name should be the last field but in this case appears as
802:28200da:0
Why is there a number instead.
Many entries only show a dot at the end or a zero.
The main item needed for this tracking is the actual file name the log as it is of limited help. Please can anyone suggest how I can get the file names into the log?
The relevant part of /etc/samba/smb.conf is
Code:
[homes]
comment = Home Directories
browseable = yes
create mask = 0775
directory mask = 0775
writable = yes
vfs objects = recycle
recycle:repository = .RecycleBin
recycle:keeptree = yes
recycle:exclude = *.bak *.tmp,*.temp,*.o,*.obj,~$*,*.~??,~*.*,*.TMP,*.TEMP,lock.*,.~lock.*,LOCK.*,*.lock,*.~lock,*.LNK,*.lnk,*.ldb
recycle:minsize = 1
vfs objects = full_audit
#full_audit:prefix = %u|%I|%S
full_audit:prefix = %u|%U|%I|%m|%S|%T|%D
full_audit:success = mkdir rename unlink rmdir open close read pread write realpath
full_audit:failure = none
full_audit:facility = LOCAL5
full_audit:priority = NOTICE
