Samba Logging (File Creation)

tntcoder · 09-09-2006, 07:43 PM

Hi,

I am trying to get samba to log file creation and deletion on a share. From what the docs say I need to enable vfs objects = extd_audit, which i have done. This (i think) logs everything into the syslog in /var/syslog.

Is there anyway i can put these specific file change logs into a log file location of my choice, rather than the syslog?

Thanks
Jack

amitsharma_26 · 09-10-2006, 11:58 AM

Quote:

Originally Posted by www.amitsharma.linuxbloggers.com

Logging in samba

Logs are the best & only way to troubleshoot & monitor samba for any problem & better efficiency.
Logs are all about the communication b/w samba box & clients. More the log level (1-10), more the verbosity. Generally you do not need a log level more than 3, i.e. log / debug level = 3 is ideal in most of scenarios. Debug level more than 3 will generate way too much of detailed & crypt information, which generally suits the need of developers.

[global]
....
log level = 3
log file = <absolute-path-of-any-share\samba.log.%m
If you want your logs to be stored seperately for every client BOX or user samba.log.%u to generate logs on user basis.

Max log size = 50
50 means 50 KB. As soon as your file samba.log.%m crosses 50 KB size, existing file is renamed as samba.log.%m.old & log is being appended to a new samba.log.%m file.

debug time stamp = yes
For system logger, you should compile samba as ./configure --with-syslog & in smb.conf

syslog = 1-10
Default is 1.

Syslog only = Yes/No

I hope this will help you..

tbeehler · 12-14-2006, 05:21 PM

Quote:

Originally Posted by tntcoder

Hi,

I am trying to get samba to log file creation and deletion on a share. From what the docs say I need to enable vfs objects = extd_audit, which i have done. This (i think) logs everything into the syslog in /var/syslog.

Is there anyway i can put these specific file change logs into a log file location of my choice, rather than the syslog?

Thanks
Jack

Greetings Jack!

I had the exact same problem you did, and here's what I did to "fix" it. Please note, I have not gotten around the "log file of my choice" section, but I thought I would offer my thoughts in case they helped you or anyone else.

I added these lines to my global section of my smb.conf file

log level = 0 vfs:2
syslog = 0

and I added these lines to my share section

vfs objects = full_audit
full_audit

refix = %u|%I
full_audit:success = open mkdir rmdir write unlink rename
full_audit:failure = mkdir rmdir write unlink rename

Now you can add various commands to the "prefix, success, and failure" parts. For example, I took a look at the "close" option in the "success" section, but got too many false positives for my tastes. This feature isn't very well documented and I did have to piece together the code from various sources, so the code isn't 100% mine.

Once you do those, restart the samba service and then in your syslog file you should get entries like this.

Dec 14 15:18:35 localhost smbd_audit: USERNAME|192.168.0.X|unlink|ok|Share/FOLDER/FILENAME.whatever for when a user manipulates a file or folder.

Hope that helps you or anyone else out!

Travis