Ryan Steele wrote:
Ray Anderson wrote:
Been using it for a while now:
smb.conf entry:
# turn on auditing
vfs objects = audit
In the Samba howto collection, section 21.3:
21.3 Included Modules
21.3.1 audit
21.3.2 extd audit
And just for completeness:
21.3.1 audit
A simple module to audit file access to the syslog facility. The
following operations are
logged:
• share
• connect/disconnect
• directory opens/create/remove
• file open/close/rename/unlink/chmod
21.3.2 extd audit
This module is identical with the audit module above except that it
sends audit logs to
both syslog as well as the smbd log files. The log level for this
module is set in the smb.
conf file.
Valid settings and the information that will be recorded are shown in
the next table.
21.3.2.1 Configuration of Auditing
This auditing tool is more felxible than most people readily will
recognize. There are a
number of ways by which useful logging information can be recorded.
• Syslog can be used to record all transaction. This can be disabled
by setting in the
smb.conf file syslog = 0.
Section 21.3. Included Modules
Table 21.1. Extended Auditing Log Information
Log Level Log Details - File and Directory Operations
0 Make Directory, Remove Directory, Unlink
1 Open Directory, Rename File, Change Permissions/ACLs
2 Open Close File
10 Maximum Debug Level
• Logging can take place to the default log file (log.smbd) for all
loaded VFS modules
just by setting in the smb.conf file log level = 0 vfs:x, where x is
the log level.
This will disable general logging while activating all logging of VFS
module activity
at the log level specified.
• Detailed logging can be obtained per user, per client machine, etc.
This requires the
above together with the creative use of the log file settings.
An example of detailed per-user and per-machine logging can be
obtained by setting
log level = /var/log/samba/%U.%m.log.
Auditing information often must be preserved for a long time. So that
the log files do not
get rotated it is essential that the max log size = 0 be set in the
smb.conf file.
Ryan Steele wrote:
Hey List,
I was wondering if and how one would go about tracking file activity
on a Samba server, for basic auditing purposes. I'd ideally like to
see what files where edited, by whom and when. I've done some RTFM
and a bit of searching around the 'net, but haven't found anything
yet. Even pointers to documentation on the subject would be welcome.
Thanks in advance for any tips!
Best Regards,
Ryan
Ray,
I appreciate your advice. I am experimenting with an implementation
of the extd_audit module now on a test cluster - thanks for pointing
me in the direction of the HOWTO, I should have looked there before
bumping the list. Thanks again.
Ryan
I'm having a bit of trouble with the logging on this, and I'm hoping
someone can point out a simple mistake I'm overlooking. My intentions
are to have everything in the shared directory container log to
/var/log/samba/log.machine.username, but the all of the VFS info
continues to filter into syslog. I've HUP'ed the daemon and restarted
to no avail. Any thoughts? Here's my smb.conf - it's pretty vanilla,
as it's a testbox for the purposes only of testing the audit module:
[global]
obey pam restrictions = Yes
encrypt passwords = Yes
local master = no
domain master = no
preferred master = no
netbios name = Testbox
workgroup = TESTDOMAIN
server string = %h server (TestServer)
wins support = yes
dns proxy = yes
name resolve order = wins lmhosts host bcast
smb ports = 139
log file = /var/log/samba/log.%m
max log size = 100
syslog = 0
panic action = /usr/share/samba/panic-action %d
security = user
invalid users = root
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 SO_KEEPALIVE
[homes]
comment = Home Directories
browseable = no
writable = yes
create mask = 0700
directory mask = 0700
[Shared Files]
comment = Shared Files
log level = vfs:2
path = /home/sharedfiles
browseable = yes
writable = yes
oplocks = No
level 2 oplocks = No
directory mask = 0775
create mask = 0664
log file = /var/log/samba/log.%m.%U
vfs objects = extd_audit
Thanks in advance for any advice.
Best Regards,
Ryan
--
Ryan Steele
Systems Administrator
Greater Philadelphia Area
-BEGIN PGP PUBLIC KEY BLOCK-
Version: GnuPG v1.4.1 (GNU/Linux)
mQELBEaFKjABCADLYm6aPkaSU0QWXu5hqocuyIwl1d1NUuoVJ97tBUqkR3IOJMZC
mLhMF3x1XE5zykajE6mIAKR8uVgubrHRBbTZtM+vH4u2ZboY+NBEzABZqj+NQtnW
dVEeFPKsWA991iUV9hyj2H51fVQa1wa7xM7Im75iSnSZJ+oxFWzPQrv0znFBs5H0
xVlX4i1zSICqM4WRjBsZTGG5PcaG9i1TS/txBM8YWp0eZAHnpuY3BXzW6EPuKe7w
7vfXOWo/FOd0PaMY/yMWgL5YfvhdZ7FwWjDbhYp/ypnVk9DOLLFm0sH8S20BelUR
+zd86ksGzipjSOC21D/q9PFn6DtV5JFH7qEBAAYptCJSeWFuIFN0ZWVsZSA8c3Rl
