Logging a samba share using rsyslog.d on ubuntu 12.04 - not working, help!
Hi guys
Sorry, this is a real noob question I'm sure. I am trying to log full_audit on my samba windows shares so I know who is creating, deleting, renaming, moving etc. files and directories in the samba/windows share. In my etc/samba/smb.conf file, under [global] I have: # Audit settings full_audit: prefix = %u|%I|%S full_audit:failure = connect full_audit:success = connect disconnect opendir mkdir rmdir closedir open close read pread write pwrite sendfile rename unlink chmodfchmod chown fchown chdir ftruncate lock symlink readlink link mknod realpath full_audit:facility = local5 full_audit: priority = notice And under my [file share name] I have: vfs object = full_audit I created a new file in etc/rsyslog.d called 00-samba-audit.conf with these two lines in: local5.notice /var/log/samba/audit.log &~ And in the file /etc/rsyslog.d/50-default.conf I changed the following line: *.*;auth,authpriv.none -/var/log/syslog to read: *.*;local5,auth,authpriv.none -/var/log/syslog with this below it: local5.notice /var/log/samba/audit.log I then restarted samba and rsyslog. (This all comes from this web page: http://a32.me/2009/10/samba-audit-trail/)It creates the audit.log file in my /var/log/samba/ directory but nothing else happens; it remains empty. What am I doing wrong?! I would be really grateful if someone could help me to audit my windows/samba share so I know who is creating, moving, deleting, renaming files etc. Would be hugely grateful if anyone could help me?! Thanks! The RiotSloth |
All times are GMT -5. The time now is 09:33 AM. |