Hello all I would like to monitor which files and only files are really open, create and modify on my samba shares. My bellow configuration would have been works fine if there is a way to exclude information about opening and closing folders.? For example when the mouse cursor is over a folder, full_audit logs 'open' operations for every folder inside, Windows probably checks the folders to calculated size and show it in the tool-tip. It is similar with files, it is enough for the mouse to be over the file for full_audit to log the operation e.g. "| share_name | open | ok | r |". I try to log operation: pread, pwirte - but they don't return anything pread_recv, pread_send - works but they generate too much entries, especially when the files are big open, close - generate logs as well for folders create_file - generate too many logs Is there a way to monitor really opened or modified files on samba shares without logging redundant events? My Samba version is Samba 4.11.2 and config ??? vfs object = full_audit ??? full_audit:prefix = %u|%I|%m%|%S|%R ??? full_audit:success = read write mkdir unlink rmdir rename open close ??? full_audit:failure = none ??? full_audit:facility = local7 ??? full_audit:priority = notice Sorry for my English ------------------------------------------------- Best regards Janusz
On Wed, Oct 06, 2021 at 08:13:27AM +0200, Janusz Bli?niak via samba wrote:>Hello all >I would like to monitor which files and only files are really open, >create and modify on my samba shares. My bellow configuration would >have been works fine if there is a way to exclude information about >opening and closing folders.? For example when the mouse cursor is >over a folder, full_audit logs 'open' operations for every folder >inside, Windows probably checks the folders to calculated size and >show it in the tool-tip. It is similar with files, it is enough for >the mouse to be over the file for full_audit to log the operation e.g. >"| share_name | open | ok | r |". >I try to log operation: >pread, pwirte - but they don't return anything >pread_recv, pread_send - works but they generate too much entries, >especially when the files are big >open, close - generate logs as well for folders >create_file - generate too many logs > >Is there a way to monitor really opened or modified files on samba >shares without logging redundant events?Well the folders *are* really opened, that's the thing. At the VFS layer, in order to list a directory (folder) it must be opened. You need to explain exactly what you mean by "really opened" in a way that can translate into code.