Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Monitoring Samba Activity with Full_Audit

Tags:

logging

samba

I have samba server. I've configured smb.conf like this:

[global]
# Another configuration
#
#

# Audit Activity Settings
full_audit:prefix = %u|%I|%m|%S
full_audit:success = mkdir rename unlink rmdir pwrite pread
full_audit:failure = none
full_audit:facility = local7
full_audit:priority = NOTICE

[shared]
comment = Shared Content 
path = /data/shared
read only = no
browsable = yes
vfs objects = full_audit

I want to throw samba log to specific file, for example to /var/log/samba/log.audit. I've configured in rsyslog.conf like this:

if $syslogfacility-text == 'local7' and $programname == 'smbd' then /var/log/samba/log.audit

but nothing happen, no file log log.audit at /var/log/samba/.

And I have too try configured at /etc/rsyslog.d/50-default.conf like this:

local7.* /var/log/samba/log.audit

but same, no file log log.audit at /var/log/samba/.

But, Full_Audit logs available at syslog:

Mar 20 02:49:26 media-arsip smbd_audit: content|192.168.84.69|ubspok18|shared|mkdir|ok|sharedcontent/ok/tes

How to throw that syslog samba full_audit logs to /var/log/samba/log.audit ?

like image 965
spn Avatar asked Oct 20 '25 16:10

spn

1 Answers

Perhaps you have resolved this already, however for posterity if so:

The resolution that worked in my case when I ran into both of these issues (on a CentOS 7 samba server) was two-fold.

Firstly: when vfs full_audit was configured with the local7 context, log entries were getting sent on to boot.log, which was already configured for that context. Defining a new context in smb.conf full_audit:facility = local5 and /etc/rsyslog.conf local5.* /var/log/smb_audit.log sent audit log messages to the chosen log file (in my case, /var/log/smb_audit.log).

Secondly: After the above configuration, log messages were sent to both my defined log file and syslog. This was because the local5 needed to be disabled for syslog in /etc/rsyslog.conf in order for syslog to not slurp them up as well as a default behaviour. This was accomplished by adding local5.none to my configuration line for /var/log/messages, so it ends up something like: *.info;mail.none;authpriv.none;cron.none;local5.none /var/log/messages.

(smbcontrol all reload-config && systemctl restart systemd-journald && systemctl restart rsyslog for these updates to take effect. Journald does not need to be restarted unless you are also choosing to increase your log limit/rate window, though for a reasonably heavily trafficked server, this may be desirable.)

like image 192
Nick Lessing Avatar answered Oct 26 '25 19:10

Nick Lessing

Sign in to Comment

Related questions

Logging in Multithreading Async Code
Python Logging: INFO,DEBUG Logs not displayed
How to write a logging function or macro that can append caller's name to the logging output in C
Logging settings overwritten by Python module
How to set a handler for all loggers within a project?
Suppress Rails logging for specific ActiveRecord request
Fast way to trim lines at the beginning of a log file on iOS
Rendering terminal output in the browser
Java package Log4J2: MapFilters
Replacing sensitive data in logs in a Quarkus application
Logging module name/line of one stack level higher in Python
How to disable JUL in 3rd party jar?
Nlog System.ArgumentException: LayoutRenderer cannot be found:
Ktor doesn't log exceptions
logging with the same logging levels across modules
How to make Flask log to stdout instead of stderr?
Why cant I see any docker logs? [duplicate]
Letsencrypt certificates in logs

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!