Samba has an audit module that I think can do what you want.
For example, in my instalation, a typical output is:
Code:
May 7 13:05:26 bigslam smbd_audit: tatiane.falasca|192.168.160.24|stc-081|rh|unlink|ok|RECURSOS HUMANOS/volume03.doc
May 3 18:16:59 bigslam smbd_audit: erika|192.168.160.126|stc-057|at|open|ok|r|2010/Doctos scanneados/CTPS Paulo 3.JPG
May 3 18:16:59 bigslam smbd_audit: erika|192.168.160.126|stc-057|at|pwrite|ok|2010/Doctos scanneados/B5a00196
May 3 18:16:59 bigslam smbd_audit: erika|192.168.160.126|stc-057|at|rename|ok|2010/Doctos scanneados/Registro Paulo.zip|Lixeira/2010/Doctos scanneados/Copy #4 of Registro Paulo.zip
In this output you can see the date, the server name, the samba auditing module name, the user name, the IP of the windows client, the windows machine name, the name of the samba share (in this case, "rh" and "at"), the operation (which could be mkdir, rename, unlink, rmdir, open, and pwrite) the status of operation (and the open mode), and finally, the name of file in the share.
To use it, install the samba audit module, and in the smb.conf, in a share definition:
Code:
...
[Marketing]
comment = Marketing
path = ...
valid users = ...
vfs objects = full_audit
full_audit:failure = none
full_audit:success = mkdir rename unlink rmdir open pwrite
full_audit:prefix = %u|%I|%m|%S
...
There are some more options in this module, but you got the idea.
I hope it helps.