Been using it for a while now:

smb.conf entry:
# turn on auditing
vfs objects = audit

In the Samba howto collection, section 21.3:

21.3 Included Modules
21.3.1 audit
21.3.2 extd audit

And just for completeness:

21.3.1 audit
A simple module to audit file access to the syslog facility. The following operations are
logged:
• share
• connect/disconnect
• directory opens/create/remove
• file open/close/rename/unlink/chmod
21.3.2 extd audit
This module is identical with the audit module above except that it sends audit logs to both syslog as well as the smbd log files. The log level for this module is set in the smb.
conf file.
Valid settings and the information that will be recorded are shown in the next table.
21.3.2.1 Configuration of Auditing
This auditing tool is more felxible than most people readily will recognize. There are a
number of ways by which useful logging information can be recorded.
• Syslog can be used to record all transaction. This can be disabled by setting in the
smb.conf file syslog = 0.

Section 21.3. Included Modules
Table 21.1. Extended Auditing Log Information
Log Level Log Details - File and Directory Operations
0 Make Directory, Remove Directory, Unlink
1 Open Directory, Rename File, Change Permissions/ACLs
2 Open & Close File
10 Maximum Debug Level
• Logging can take place to the default log file (log.smbd) for all loaded VFS modules just by setting in the smb.conf file log level = 0 vfs:x, where x is the log level. This will disable general logging while activating all logging of VFS module activity
at the log level specified.
• Detailed logging can be obtained per user, per client machine, etc. This requires the
above together with the creative use of the log file settings.
An example of detailed per-user and per-machine logging can be obtained by setting
log level = /var/log/samba/%U.%m.log.
Auditing information often must be preserved for a long time. So that the log files do not get rotated it is essential that the max log size = 0 be set in the smb.conf file.



Ryan Steele wrote:
Hey List,

I was wondering if and how one would go about tracking file activity on a Samba server, for basic auditing purposes. I'd ideally like to see what files where edited, by whom and when. I've done some RTFM and a bit of searching around the 'net, but haven't found anything yet. Even pointers to documentation on the subject would be welcome. Thanks in advance for any tips!

Best Regards,
Ryan

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Reply via email to