http://www.linuxquestions.org/questi...ux-smb-808012/
in this post one written line is "To use it, install the samba audit module, and in the smb.conf, in a share definition:"

how should i installed?

not getting log..

iam getting this log every time ...


[root@linuxpc samba]# ll
total 168
-rw-r--r-- 1 root root 129 May 7 15:28 0.0.0.0.log
-r-- 1 root root 0 May 7 17:25 172.16.27.7.log
-rw-r--r-- 1 root root 0 May 7 16:25 172.16.3.28.log
-rw-r--r-- 1 root root 129 May 7 15:27 172.16.9.3.log
drwx------ 4 root root 4096 Feb 3 10:18 cores
-rw-r--r-- 1 root root 0 May 7 15:34 corp1-fin-032.log
-rw-r--r-- 1 root root 272 May 7 16:50 sip1-raw-027.log
-rw-r--r-- 1 root root 1881 May 7 17:34 sip-exc-006.log
-rw-r--r-- 1 root root 8279 May 7 17:34 smbd.log
-rw-r--r-- 1 root root 4417 May 7 10:16 smbd.log.1
-rw-r--r-- 1 root root 18896 May 2 04:02 smbd.log.2
-rw-r--r-- 1 root root 16097 Apr 25 10:06 smbd.log.3
-rw-r--r-- 1 root root 14167 Apr 16 10:08 smbd.log.4

i confirmed to person belong to ip address regarding acessing my pc but only 2 person has been access my pc rest no one has access...then why this false log generating...

mostly ip belong to remote location few ip belongs to my loation.

i tested a machine with the following config & i found that i can see a log file which denoted the ip address of that machine which is connected to the samba share so u can just try it

with the helps of %m variable, we can create log files for specifically users or clients/IP,
log file = /var/log/samba/log.%m

[test2]
path = /dump
valid users = dk
public = yes
writeable = yes
browseable = yes
guest ok = yes
log level = 0 vfs: 0
log file = /var/log/samba/log.%m
max log size = 0


[root@localhost ~]# cd /var/log/samba/
[root@localhost samba]# ll
total 28
drwx------. 3 root root 4096 May 8 11:18 cores
-rw-r--r--. 1 root root 0 May 8 11:43 log.__ffff_192.168.45.1
-rw-r--r--. 1 root root 1024 May 8 11:53 log.macbook-672edc
-rw-r--r--. 1 root root 13960 May 8 11:53 log.smbd
drwx------. 2 root root 4096 Oct 26 2011 old
[root@localhost samba]#

same configuration iam using and previous post is output of that log.....
iam saying that in log, ip shows who acess my pc.but many of ip didnot access my pc.only 2 pc have access my pc.then why rest of ip is showing accessed my pc?

ok means in the network, those machine which are even not connected with the samba server also shown the log of all the system ip in the samba logs ??

yes that's right...many person dont know samba ip also then also their ip is showing in to log

haha "interesting" ok, see i have tested it but i don't what happen at your end can u share your smb.conf file

Samba emulates a windows smb server, and as such it "announces" itself in the network. It may (depending on your config) become a "Master Browser" for the network, so the other computers use it to find stuff in the smb network. The windows client machines will be trying to access it for example to fill their "network neighborhood" / "machines near me", shared printers, and all those things windows does without being asked for.

Of course, there is also the possibility that worms in the client machines are just trying to spread through smb in the network, thus probing all hosts including the samba server.

Now, if you are getting smb connection attempts from outside your network, or from a network you are not supposed to have any client but which is connected to one of your interfaces, you should setup your "interfaces" and "socket address" settings in smb.conf to control where your samba server is announcing itself and listening to requests. You can also configure your firewall to block smb from undesired addresses/networks.

BR,

Joao S Veiga

my network interface use hosts allow 127. 192.168. 172.16. so this range can access but only if they are knowing server ip....


can this also might be of network virus...?..as jsveiga told about worm..!!!!
is this can be also one of the reason?

Sorry, I did not mean to scare you.

The user doesn't need to know that there is a smb server in the network, nor its ip address. The smb server (and actually the clients too) announces itself in the network, and they just start poking each other.

If you do a
tshark -i ethX
on one of the interfaces you have the server bound to, you will see a lot of smb/nmb chitchat even when no user is accessing the shares - even if there is no worm nor any wrongdoing in your network. Just boot a windows (or samba server with default config) in the network, and they'll start blabbering.

This is normal smb behavior. When broadband internet started to be deployed in Brazil, and ISPs didn't have a clue, it was very funny to see the flood of smb announcements arriving in our PCs. Then who could resist peeking into the announced open shares...

BR,

Joao S Veiga

tshark -i eth0
shows continuously log
109.894479 172.16.27.10 -> 172.16.255.255 NBNS Name query NB WORKGROUP<1b>
109.935347 Micro-St_dc:2e:48 -> Broadcast ARP Who has 169.254.162.51? Tell 169.254.162.67
109.988069 172.16.37.23 -> 172.16.255.255 NBNS Name query NB WPAD<00>
109.988849 172.16.7.2 -> 172.16.255.255 NBNS Name query NB CORP1-PUR-001<20>
109.989372 172.16.7.2 -> 172.16.255.255 NBNS Name query NB CORP1-PUR-001<00>
110.033990 172.16.14.9 -> 172.16.255.255 NBNS Name query NB IXDHJEHL.COM<00>
110.034009 172.16.14.9 -> 172.16.255.255 NBNS Name query NB XUWGMJCRLWV.COM<00>
110.034168 172.16.14.9 -> 172.16.255.255 NBNS Name query NB CZFAAXXQ.COM<00>
110.034175 172.16.14.9 -> 172.16.255.255 NBNS Name query NB UGTLEZXAA.COM<00>
110.034316 172.16.14.9 -> 172.16.255.255 NBNS Name

90880 Intel_41:30:c1 -> Broadcast ARP Who has 172.16.246.202? Tell 172.16.21.56
262.748223 172.16.7.2 -> 172.16.255.255 NBNS Name query NB CORP1-PUR-001<20>
262.748242 172.16.7.2 -> 172.16.255.255 NBNS Name query NB CORP1-PUR-001<00>

262.836215 Dell_07:cf:ab -> Broadcast ARP Who has 172.16.9.111? Tell 172.16.26.5
262.852324 AsustekC_ad:a4:d7 -> Broadcast ARP Who has 172.16.11.16? Tell 172.16.37.24
262.854602 192.168.0.2 -> 192.168.0.255 UDP Source port


thanks for this command....this command bring flood in my pc.but i can't understand the log it shows...can you tell me some more.

can you try with
;wins support = no
;wins proxy = no
restart the samba service
& deleted old logs & then see what happen

thanks....to all you help me alot..

today when i checked update file , i found tha one shared dir is access by some one .so i want to know when these dir is access and by whom...how can i check this...and also is thier any program for continuously checking smbstatus -u.this command runs one and gives out.i need continously...iam trying to make shell script if any one know please share it....