Dale, Upon hearing Volker Lendecke's suggestion that full_audit was superseding the other two, I opted to use it. And, as you mentioned, I did read the docs and put the log parameters in the global container. However, I've not been able to get it to log to _anything_ other than syslog. I've settled on the fact that I'll have to pick information out of syslog, unless someone can point out a working config that can achieve different results - in which case I'm all ears. Here's what I've got:
[global] syslog = 0 syslog only = No log level = 0 vfs:2 log file = /var/log/samba/log.%m.%U ; No VFS info ever makes it here obey pam restrictions = Yes encrypt passwords = Yes local master = no domain master = no preferred master = no netbios name = Testbox workgroup = TESTDOMAIN server string = %h server (Testing Audit Support) wins support = yes dns proxy = yes name resolve order = wins lmhosts host bcast smb ports = 139 max log size = 1000000 panic action = /usr/share/samba/panic-action %d security = user invalid users = root passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n . socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 SO_KEEPALIVE [homes] comment = Home Directories browseable = no writable = yes create mask = 0700 directory mask = 0700 [Shared Files] vfs objects = full_audit full_audit:prefix = %u|%I full_audit:failure = none full_audit:success = open write close path = /home/sharedfiles directory mask = 0775 create mask = 0664 comment = "DMG Files" browseable = yes writable = yes oplocks = No level2 oplocks = No And, while I'm asking questions, why is it that different apps give me different results in terms of number of calls to open, close, etc? I assume there's more than one because the addresses are memory mapped - does the actual number just depend on how the individual app goes out to fetch those addresses? As always, thanks in advance. Ryan -- Ryan Steele Systems Administrator Greater Philadelphia Area GPG Signature: http://www.agora-net.com/~steele/signature.asc Dale Schroeder wrote: > Ryan, > > I don't believe it is possible to set log parameters in the share. It > must be done in global. > Also notice this from the HowTo: > " This module is identical with the |audit| module above except that > it sends audit logs to both /*syslog*/ as well as the |smbd| log files." > http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/VFS.html#id409434 > > > Dale > > Ryan Steele wrote: >> Ryan Steele wrote: >>> Ray Anderson wrote: >>>> Been using it for a while now: >>>> >>>> smb.conf entry: >>>> # turn on auditing >>>> vfs objects = audit >>>> >>>> In the Samba howto collection, section 21.3: >>>> >>>> 21.3 Included Modules >>>> 21.3.1 audit >>>> 21.3.2 extd audit >>>> >>>> And just for completeness: >>>> >>>> 21.3.1 audit >>>> A simple module to audit file access to the syslog facility. The >>>> following operations are >>>> logged: >>>> • share >>>> • connect/disconnect >>>> • directory opens/create/remove >>>> • file open/close/rename/unlink/chmod >>>> 21.3.2 extd audit >>>> This module is identical with the audit module above except that it >>>> sends audit logs to >>>> both syslog as well as the smbd log files. The log level for this >>>> module is set in the smb. >>>> conf file. >>>> Valid settings and the information that will be recorded are shown >>>> in the next table. >>>> 21.3.2.1 Configuration of Auditing >>>> This auditing tool is more felxible than most people readily will >>>> recognize. There are a >>>> number of ways by which useful logging information can be recorded. >>>> • Syslog can be used to record all transaction. This can be >>>> disabled by setting in the >>>> smb.conf file syslog = 0. >>>> >>>> Section 21.3. Included Modules >>>> Table 21.1. Extended Auditing Log Information >>>> Log Level Log Details - File and Directory Operations >>>> 0 Make Directory, Remove Directory, Unlink >>>> 1 Open Directory, Rename File, Change Permissions/ACLs >>>> 2 Open & Close File >>>> 10 Maximum Debug Level >>>> • Logging can take place to the default log file (log.smbd) for all >>>> loaded VFS modules >>>> just by setting in the smb.conf file log level = 0 vfs:x, where x is >>>> the log level. >>>> This will disable general logging while activating all logging of >>>> VFS module activity >>>> at the log level specified. >>>> • Detailed logging can be obtained per user, per client machine, >>>> etc. This requires the >>>> above together with the creative use of the log file settings. >>>> An example of detailed per-user and per-machine logging can be >>>> obtained by setting >>>> log level = /var/log/samba/%U.%m.log. >>>> Auditing information often must be preserved for a long time. So >>>> that the log files do not >>>> get rotated it is essential that the max log size = 0 be set in the >>>> smb.conf file. >>>> >>>> >>>> >>>> Ryan Steele wrote: >>>>> Hey List, >>>>> >>>>> I was wondering if and how one would go about tracking file >>>>> activity on a Samba server, for basic auditing purposes. I'd >>>>> ideally like to see what files where edited, by whom and when. >>>>> I've done some RTFM and a bit of searching around the 'net, but >>>>> haven't found anything yet. Even pointers to documentation on the >>>>> subject would be welcome. Thanks in advance for any tips! >>>>> >>>>> Best Regards, >>>>> Ryan >>>>> >>> >>> Ray, >>> >>> I appreciate your advice. I am experimenting with an implementation >>> of the extd_audit module now on a test cluster - thanks for pointing >>> me in the direction of the HOWTO, I should have looked there before >>> bumping the list. Thanks again. >>> >>> Ryan >>> >> >> I'm having a bit of trouble with the logging on this, and I'm hoping >> someone can point out a simple mistake I'm overlooking. My >> intentions are to have everything in the shared directory container >> log to /var/log/samba/log.machine.username, but the all of the VFS >> info continues to filter into syslog. I've HUP'ed the daemon and >> restarted to no avail. Any thoughts? Here's my smb.conf - it's >> pretty vanilla, as it's a testbox for the purposes only of testing >> the audit module: >> >> [global] >> obey pam restrictions = Yes >> encrypt passwords = Yes >> local master = no >> domain master = no >> preferred master = no >> netbios name = Testbox >> workgroup = TESTDOMAIN >> server string = %h server (TestServer) >> wins support = yes >> dns proxy = yes >> name resolve order = wins lmhosts host bcast >> smb ports = 139 >> log file = /var/log/samba/log.%m >> max log size = 1000000 >> syslog = 0 >> panic action = /usr/share/samba/panic-action %d >> security = user >> invalid users = root >> passwd program = /usr/bin/passwd %u >> passwd chat = *Enter\snew\sUNIX\spassword:* %n\n >> *Retype\snew\sUNIX\spassword:* %n\n . >> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 >> SO_KEEPALIVE >> [homes] >> comment = Home Directories >> browseable = no >> writable = yes >> create mask = 0700 >> directory mask = 0700 >> [Shared Files] >> comment = "Shared Files" >> log level = vfs:2 >> path = /home/sharedfiles >> browseable = yes >> writable = yes >> oplocks = No >> level 2 oplocks = No >> directory mask = 0775 >> create mask = 0664 >> log file = /var/log/samba/log.%m.%U >> vfs objects = extd_audit >> >> Thanks in advance for any advice. >> >> Best Regards, >> Ryan >> > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba