Logging a samba share using rsyslog.d on ubuntu 12.04 - not working, help!
 

Hi guys

Sorry, this is a real noob question I'm sure. I am trying to log full_audit on my samba windows shares so I know who is creating, deleting, renaming, moving etc. files and directories in the samba/windows share.

In my etc/samba/smb.conf file, under [global] I have:


# Audit settings
full_audit: prefix = %u|%I|%S
full_audit:failure = connect
full_audit:success = connect disconnect opendir mkdir rmdir closedir open close read pread write pwrite sendfile rename unlink chmodfchmod chown fchown chdir ftruncate lock symlink readlink link mknod realpath
full_audit:facility = local5
full_audit: priority = notice

And under my [file share name] I have:

vfs object = full_audit

I created a new file in etc/rsyslog.d called 00-samba-audit.conf with these two lines in:

local5.notice /var/log/samba/audit.log
&~

And in the file /etc/rsyslog.d/50-default.conf I changed the following line:

*.*;auth,authpriv.none -/var/log/syslog

to read:

*.*;local5,auth,authpriv.none -/var/log/syslog

with this below it:

local5.notice /var/log/samba/audit.log

I then restarted samba and rsyslog. (This all comes from this web page: http://a32.me/2009/10/samba-audit-trail/)It creates the audit.log file in my /var/log/samba/ directory but nothing else happens; it remains empty.
What am I doing wrong?! I would be really grateful if someone could help me to audit my windows/samba share so I know who is creating, moving, deleting, renaming files etc.

Would be hugely grateful if anyone could help me?!

Thanks!

The RiotSloth