Samba audit logging not working as expected

catkin · 05-06-2012, 04:41 AM

This config does not put anything in /var/log/samba/log.audit as expected. The messages are triplicated into /var/log/{messages,syslog,user.log}.

smb.conf.source:

Code:

[global]
domain master = Yes
guest ok = Yes
load printers = No
map to guest = Bad User
netbios name = LS1
preferred master = Yes
remote announce = 10.8.0.6/ACUR 10.8.0.10/ACUR 10.8.0.14/ACUR 10.8.0.18/ACUR \
  10.8.0.22/ACUR 10.8.0.26/ACUR 10.8.0.30/ACUR 10.8.0.34/ACUR 10.8.0.38/ACUR \
  10.8.0.42/ACUR 10.8.0.46/ACUR 10.8.0.50/ACUR 10.8.0.54/ACUR 10.8.0.60/ACUR \
  10.8.0.64/ACUR 10.8.0.68/ACUR
server string = Server
smb ports = 139
syslog = 0
wins support = Yes
workgroup = ACUR

# Audit settings (order may matter)
vfs object = full_audit
vfs_full_audit:prefix = %u|%I|%S
vfs_full_audit:success = all
vfs_full_audit:failure = all
vfs_full_audit:facility = LOCAL7
vfs_full_audit:priority = NOTICE

[snip share definitions]

The smb.conf created from it by testparm smb.conf.source > smb.conf (no error messages)

Code:

[global]
        workgroup = ACUR
        netbios name = LS1
        server string = Server
        map to guest = Bad User
        syslog = 0
        smb ports = 139
        load printers = No
        preferred master = Yes
        domain master = Yes
        wins support = Yes
        remote announce = 10.8.0.6/ACUR 10.8.0.10/ACUR 10.8.0.14/ACUR 10.8.0.18/ACUR   10.8.0.22/ACUR 10.8.0.26/ACUR 10.8.0.30/ACUR 10.8.0.34/ACUR 10.8.0.38/ACUR   10.8.0.42/ACUR 10.8.0.46/ACUR 10.8.0.50/ACUR 10.8.0.54/ACUR 10.8.0.60/ACUR   10.8.0.64/ACUR 10.8.0.68/ACUR
        vfs_full_audit:priority = NOTICE
        vfs_full_audit:facility = LOCAL7
        vfs_full_audit:failure = all
        vfs_full_audit:success = all
        vfs_full_audit:prefix = %u|%I|%S
        guest ok = Yes
        vfs objects = full_audit

/etc/rsyslog.d/samba-audit.conf:

Code:

# rsyslog config fragment for samba audit logging

# Must be harmonised with the samba configuration

if $syslogfacility-text == 'local7' and $programname == 'smbd' then /var/log/samba/log.audit
& ~

The rsyslog and samba daemons were restarted.

After browsing a share using a WXP system, /var/log/{messages,syslog,user.log} got messages but /var/log/samba/log.audit was empty.

This on Debian squeeze with 2:3.5.6~dfsg-3squeeze6 and rsyslog 4.6.4-2.

Tinkster · 05-07-2012, 06:15 PM

W/o having tried to set-up audit_logging on samba myself I notice only that LOCAL7 many
not be the same as local7, just a wild guess, but as you don't mention whether you tried
that or not I thought it may be worth putting it out there ...

Also (again, just poking in the dark) I'm not sure whether the syslog = 0 (only errors)
would override the the notice in the audit section ...

catkin · 05-07-2012, 10:49 PM

Thanks for the suggestions Tinkster

Yes -- I tried both local7 (the way *syslog has it) and LOCAL7 (the way samba has it, as shown by the testparm output. Why did the Samba team choose something different from *syslog?!).

I also tried with and without syslog = 0.