samba - Jan 2021 - Samba "vfs_full_audit" Operations

I am trying to get Samba to log user activity. What should be done is 
clearly explained here:

https://www.samba.org/samba/docs/current/man-html/vfs_full_audit.8.html

The problem is that Samba sends too much data, and that is a major 
problem for me. Apparently, there are a lot of "operations" going on
in
the background and I don't know which ones to filter. So I am looking 
for any sort of documentation that can enlighten me. I have already 
Google'd it but nothing useful came up.

Thanks in advance.




-- 
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

On 1/23/21 11:21 AM, Selahattin CILEK via samba wrote:
> I am trying to get Samba to log user activity. What should be done is
clearly
> explained here:
> 
> https://www.samba.org/samba/docs/current/man-html/vfs_full_audit.8.html
> 
> The problem is that Samba sends too much data, and that is a major problem
for
> me. Apparently, there are a lot of "operations" going on in the
background and I
> don't know which ones to filter. So I am looking for any sort of
documentation
> that can enlighten me. I have already Google'd it but nothing useful
came up.
> 
> Thanks in advance.
The info presented by vfs_full_audit doesn't translate directly into
filesystem
operations as a user might think of them.

With that said, here are the options I use:

         vfs objects = full_audit
         full_audit:prefix = %U|%u|%I|%P
         full_audit:success = pwrite rename mknod unlink rmdir mkdir 
sys_acl_set_file
         full_audit:failure = none
         full_audit:facility = LOCAL3
         full_audit:log_secdesc = true