Samba Log all user activities
 

Hi,

can anyone tell me how I can log all my samba users delete and write activities? Currently I have set following config options:

admin log = yes
log level = 2
syslog = 2
log file = /var/opt/samba/log.%m

I do get following messages in my log file when I create and delete a file:
Unfortunately, i can't figure out what a file is beeing read, created, deleted or just modified. Does anyone have a better solution?

Thanks in advance,

simplyA

Samba has a audit module which can provide full logging on shares.
In the log file you will get something like that:
besides the open mode, you can get pwrite,unlink,rename,rmdir,mkdir, etc...check the documentation.

All you need is the full_audit module (/usr/lib/samba/vfs/full_audit.so) which is part of samba server (mine is samba-3.0.24-6.ccj1.rpm) and add the following in your share definition:

Thanks and sorry for the late reply!

Confirmation
 

First, thank you for those invaluable information. From reading somewhere, following the action was the result -- in this case 'ok' followed the open action. Then what the 'r' (the 'r' between open and file name)represents for?

Other thing I would like to ask. When people open a shared directory, especially when there were a lot of sub directory within, lots of information concerning the |stat|fail were thrown into the /etc/log/messages. Can we prevent this to show up there, since I only need the rmdir, mkdir, unlink and rename logs and it makes my log messages grow up to big (60MB of file size within 4-6 hours)? Thank you in advance for your help.

PS. Pardon my english.


Regards,

sato

Is the open mode, in this case, opened for reading. But you can get "|w|" which stands for open for writing.

I have no idea. Sorry....If you managed to figure out, please post the solution back in this thread.

Please help me
 

how can i get report for full_audit.so module like this

29 09:31:59 smbsrv smbd_audit: johndoe|192.168.xx.yy|machine-name|Share-name|open|ok|r|dir1/dir2/file

this is my smb.conf

[global]
workgroup = MYSERVER
netbios name = slackware12
server string = Samba Server
log level = 2
log file = /var/log/samba.%m
max log size = 50
level2 oplocks = True
#
[audit]
comment = audit
path = /mnt/hda3/tes
create mask = 0777
directory mask = 0777
vfs objects = full_audit
full_audit:failure = none
full_audit:success = mkdir rename unlink rmdir open pwrite
full_audit:prefix = %u|%I|%m|%S
writeable = yes
browseable = yes
security = user
valid users = samba

and this is my report

----------------cut--------------------------------

[2008/07/07 16:15:03, 2] smbd/close.c:close_normal_file(399)
samba closed file 06. KAU YANG TERINDAH.mp3 (numopen=0) NT_STATUS_OK
[2008/07/07 16:15:03, 2] smbd/open.c:open_file(391)
samba opened file 07. ALLAH BAPA.mp3 read=No write=Yes (numopen=1)
[2008/07/07 16:15:03, 2] smbd/close.c:close_normal_file(399)
samba closed file 07. ALLAH BAPA.mp3 (numopen=0) NT_STATUS_OK
[2008/07/07 16:15:03, 2] smbd/open.c:open_file(391)
samba opened file 08. YESUS SAHABATKU.mp3 read=No write=Yes (numopen=1)
[2008/07/07 16:15:03, 2] smbd/close.c:close_normal_file(399)
samba closed file 08. YESUS SAHABATKU.mp3 (numopen=0) NT_STATUS_OK
[2008/07/07 16:15:03, 2] smbd/open.c:open_file(391)
samba opened file 09. BAPAKU RINDU.mp3 read=No write=Yes (numopen=1)
[2008/07/07 16:15:03, 2] smbd/close.c:close_normal_file(399)
samba closed file 09. BAPAKU RINDU.mp3 (numopen=0) NT_STATUS_OK
[2008/07/07 16:15:03, 2] smbd/open.c:open_file(391)
samba opened file 10. DENGAN SEGENAP HATI.mp3 read=No write=Yes (numopen=1)
[2008/07/07 16:15:03, 2] smbd/close.c:close_normal_file(399)
samba closed file 10. DENGAN SEGENAP HATI.mp3 (numopen=0) NT_STATUS_OK

---------------------cut----------------------------------------------

The full_audit is written to syslog.
Check http://moiristo.wordpress.com/2009/0...user-activity/

Add to samba config:
If you are using rsyslog (debian squeeze uses it), then add to /etc/rsyslog.conf:
Don't forget to restart rsyslogd. In debian squeeze: