samba - May 2018 - Samba Audit Logs

On Sat, 5 May 2018 11:11:21 -0300
"Ethy H. Brito via samba" <samba at lists.samba.org> wrote:
> On Sat, 5 May 2018 23:40:47 +1000
> Robin G via samba <samba at lists.samba.org> wrote:
> 
> ...
> 
> 
> > full_audit:prefix = %u|%I|%S
> >         full_audit:failure = none
> >         full_audit:success = mkdir rmdir read pread write pwrite
> > rename unlink
> >         full_audit:facility = local5
> >         full_audit:priority = notice
> > 
> > 
> > The following in /etc/rsyslog.d/00-samba-audit.conf
> > local5.notice /var/log/samba/audit.log
> > & ~
> > 
> > and the following in /etc/rsyslog.d/50-default.conf
> > *.*;auth,authpriv.none           -/var/log/syslog
> > *.*;local5,auth,authpriv.none           -/var/log/syslog
> > local5.notice /var/log/samba/audit.log
> > 
> > The samba service and rsyslog have been restarted multiple times
> 
> 
> I think you may be missing 
> 
> 	vfs objects = full_audit
> 
> in each and every share you want to monitor.
> 
> Ethy
> 
> 
You are guessing there and this isn't surprising, as the OP didn't give
us the main piece of evidence, their smb.conf. Without this, anything
suggested would be a guess.

Rowland

Hi Rowland,
here is the smb.conf. All shares have the full_audit

[global]
    workgroup = RESOLVS
        netbios name = DC1
        security = USER
        obey pam restrictions = yes
        local master = yes
        domain master = yes
        preferred master = yes
        domain logons = yes
        os level = 50
####

LDAP definitions

####

### Logging

    syslog = 0
    log file = /var/log/samba/%m
    Log level = 0 vfs:0
    max log size = 0
    full_audit:prefix = %u|%I|%S
        full_audit:failure = none
        full_audit:success = mkdir rmdir read pread write pwrite rename
unlink
        full_audit:facility = local5
        full_audit:priority = notice


[homes]
        create mask = 0700
        directory mask = 0700
        browseable = No
        read only = No
        path = %H
        vfs objects = full_audit

[data]
        path = /srv/data
        force group = allusers
        read only = No
        inherit permissions = Yes
        hide unreadable = Yes
        vfs objects = full_audit


Regards,

Rob






On Sun, May 6, 2018 at 12:20 AM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Sat, 5 May 2018 11:11:21 -0300
> "Ethy H. Brito via samba" <samba at lists.samba.org> wrote:
>
> > On Sat, 5 May 2018 23:40:47 +1000
> > Robin G via samba <samba at lists.samba.org> wrote:
> >
> > ...
> >
> >
> > > full_audit:prefix = %u|%I|%S
> > >         full_audit:failure = none
> > >         full_audit:success = mkdir rmdir read pread write pwrite
> > > rename unlink
> > >         full_audit:facility = local5
> > >         full_audit:priority = notice
> > >
> > >
> > > The following in /etc/rsyslog.d/00-samba-audit.conf
> > > local5.notice /var/log/samba/audit.log
> > > & ~
> > >
> > > and the following in /etc/rsyslog.d/50-default.conf
> > > *.*;auth,authpriv.none           -/var/log/syslog
> > > *.*;local5,auth,authpriv.none           -/var/log/syslog
> > > local5.notice /var/log/samba/audit.log
> > >
> > > The samba service and rsyslog have been restarted multiple times
> >
> >
> > I think you may be missing
> >
> >       vfs objects = full_audit
> >
> > in each and every share you want to monitor.
> >
> > Ethy
> >
> >
>
> You are guessing there and this isn't surprising, as the OP didn't
give
> us the main piece of evidence, their smb.conf. Without this, anything
> suggested would be a guess.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Sun, 6 May 2018 20:05:20 +1000
Robin G <robinghere3 at gmail.com> wrote:
> Hi Rowland,
> here is the smb.conf. All shares have the full_audit
> 
> [global]
>     workgroup = RESOLVS
>         netbios name = DC1
>         security = USER
>         obey pam restrictions = yes
>         local master = yes
>         domain master = yes
>         preferred master = yes
>         domain logons = yes
>         os level = 50
> ####
> 
> LDAP definitions
What LDAP definitions ???
> 
> ####
> 
> ### Logging
> 
>     syslog = 0
>     log file = /var/log/samba/%m
>     Log level = 0 vfs:0
>     max log size = 0
>     full_audit:prefix = %u|%I|%S
>         full_audit:failure = none
>         full_audit:success = mkdir rmdir read pread write pwrite
> rename unlink
>         full_audit:facility = local5
>         full_audit:priority = notice
> 
> 
> [homes]
>         create mask = 0700
>         directory mask = 0700
>         browseable = No
>         read only = No
>         path = %H
>         vfs objects = full_audit
> 
> [data]
>         path = /srv/data
>         force group = allusers
>         read only = No
>         inherit permissions = Yes
>         hide unreadable = Yes
>         vfs objects = full_audit
> 
> 
Try it like this:

[global]
.......
.....
...
        vfs objects = full_audit
        full_audit:prefix = %u|%I|%S
        full_audit:failure = none
        full_audit:success = mkdir rmdir read pread write pwrite rename unlink
        full_audit:facility = local5
        full_audit:priority = notice

or like this:

[global]
.......
.....
...
        vfs objects = full_audit

[homes]
        create mask = 0700
        directory mask = 0700
        browseable = No
        read only = No
        path = %H
        full_audit:prefix = %u|%I|%S
        full_audit:failure = none
        full_audit:success = mkdir rmdir read pread write pwrite rename unlink
        full_audit:facility = local5
        full_audit:priority = notice

Rowland