Samba Log all user activities
Hi,
can anyone tell me how I can log all my samba users delete and write activities? Currently I have set following config options: admin log = yes log level = 2 syslog = 2 log file = /var/opt/samba/log.%m I do get following messages in my log file when I create and delete a file: Quote:
Thanks in advance, simplyA |
Samba has a audit module which can provide full logging on shares.
In the log file you will get something like that: Code:
May 29 09:31:59 smbsrv smbd_audit: johndoe|192.168.xx.yy|machine-name|Share-name|open|ok|r|dir1/dir2/file All you need is the full_audit module (/usr/lib/samba/vfs/full_audit.so) which is part of samba server (mine is samba-3.0.24-6.ccj1.rpm) and add the following in your share definition: Code:
vfs objects = full_audit |
Thanks and sorry for the late reply!
|
Confirmation
First, thank you for those invaluable information. From reading somewhere, following the action was the result -- in this case 'ok' followed the open action. Then what the 'r' (the 'r' between open and file name)represents for?
Other thing I would like to ask. When people open a shared directory, especially when there were a lot of sub directory within, lots of information concerning the |stat|fail were thrown into the /etc/log/messages. Can we prevent this to show up there, since I only need the rmdir, mkdir, unlink and rename logs and it makes my log messages grow up to big (60MB of file size within 4-6 hours)? Thank you in advance for your help. PS. Pardon my english. Regards, sato Quote:
|
Quote:
Quote:
|
Please help me
how can i get report for full_audit.so module like this
29 09:31:59 smbsrv smbd_audit: johndoe|192.168.xx.yy|machine-name|Share-name|open|ok|r|dir1/dir2/file this is my smb.conf [global] workgroup = MYSERVER netbios name = slackware12 server string = Samba Server log level = 2 log file = /var/log/samba.%m max log size = 50 level2 oplocks = True # [audit] comment = audit path = /mnt/hda3/tes create mask = 0777 directory mask = 0777 vfs objects = full_audit full_audit:failure = none full_audit:success = mkdir rename unlink rmdir open pwrite full_audit:prefix = %u|%I|%m|%S writeable = yes browseable = yes security = user valid users = samba and this is my report ----------------cut-------------------------------- [2008/07/07 16:15:03, 2] smbd/close.c:close_normal_file(399) samba closed file 06. KAU YANG TERINDAH.mp3 (numopen=0) NT_STATUS_OK [2008/07/07 16:15:03, 2] smbd/open.c:open_file(391) samba opened file 07. ALLAH BAPA.mp3 read=No write=Yes (numopen=1) [2008/07/07 16:15:03, 2] smbd/close.c:close_normal_file(399) samba closed file 07. ALLAH BAPA.mp3 (numopen=0) NT_STATUS_OK [2008/07/07 16:15:03, 2] smbd/open.c:open_file(391) samba opened file 08. YESUS SAHABATKU.mp3 read=No write=Yes (numopen=1) [2008/07/07 16:15:03, 2] smbd/close.c:close_normal_file(399) samba closed file 08. YESUS SAHABATKU.mp3 (numopen=0) NT_STATUS_OK [2008/07/07 16:15:03, 2] smbd/open.c:open_file(391) samba opened file 09. BAPAKU RINDU.mp3 read=No write=Yes (numopen=1) [2008/07/07 16:15:03, 2] smbd/close.c:close_normal_file(399) samba closed file 09. BAPAKU RINDU.mp3 (numopen=0) NT_STATUS_OK [2008/07/07 16:15:03, 2] smbd/open.c:open_file(391) samba opened file 10. DENGAN SEGENAP HATI.mp3 read=No write=Yes (numopen=1) [2008/07/07 16:15:03, 2] smbd/close.c:close_normal_file(399) samba closed file 10. DENGAN SEGENAP HATI.mp3 (numopen=0) NT_STATUS_OK ---------------------cut---------------------------------------------- |
The full_audit is written to syslog.
Check http://moiristo.wordpress.com/2009/0...user-activity/ Add to samba config: Code:
vfs objects = full_audit Code:
if $syslogfacility-text == 'local7' and $programname == 'smbd' then /var/log/samba/log.audit Code:
/etc/init.d/rsyslog restart |
All times are GMT -5. The time now is 12:54 PM. |