thr3ads.net - samba - [Samba] full_audit logs way too much [Jun 2022]

If this information is useful, please help other people find it:
Share via:

Kees van Vloten

2022-Jun-15 15:26 UTC

[Samba] full_audit logs way too much

Hi Team,


I have enabled full_audit logging on a (domain-member) file-server 
(running 4.15.7 from Louis on Bullseye)

[global]
 ??????? log level = 3
 ??????? full_audit:success = pwrite write rename
 ??????? full_audit:failure = none
 ??????? full_audit:prefix = samba: IP=%I|USER=%u|MACHINE=%m|VOLUME=%S
 ??????? full_audit:facility = local7
 ??????? full_audit:priority = NOTICE
 ??? ??? <many other settings>
[home]
 ?????? comment = Home directory
 ?????? path = /srv/samba/home
 ?????? write list = @acl-smb_share_user_home-full
 ?????? read list  ?????? force create mode = 0600
 ?????? force directory mode = 0700
 ?????? vfs objects = acl_xattr streams_xattr recycle full_audit
 ?????? recycle:keeptree = yes
 ?????? recycle:versions = yes
<more shares identical vfs object settings>

Instead of only "full_audit:success = pwrite write rename", I see 
everything being logged, as a result the log file is rapidly growing and 
perhaps this much logging poses a performance hit on file access over 
the shares.

Jun 15 17:04:51 smbserver smbd_audit: samba: 
IP=10.10.10.10|USER=SAMDOM\user|MACHINE=10.10.10.10|VOLUME=home|stat|ok|/srv/samba/home/user/Thunderbird/Profiles/0jfaiuerm.default-release
Jun 15 17:04:51 smbserver smbd_audit: samba: 
IP=10.10.10.10|USER=SAMDOM\user|MACHINE=10.10.10.10|VOLUME=home|stat|ok|/srv/samba/home
Jun 15 17:04:51 smbserver smbd_audit: samba: 
IP=10.10.10.10|USER=SAMDOM\user|MACHINE=10.10.10.10|VOLUME=home|file_id_create|ok|64780:2:0
Jun 15 17:04:51 smbserver smbd_audit: samba: 
IP=10.10.10.10|USER=SAMDOM\user|MACHINE=10.10.10.10|VOLUME=home|stat|ok|/srv/samba/home
Jun 15 17:04:51 smbserver smbd_audit: samba: 
IP=10.10.10.10|USER=SAMDOM\user|MACHINE=10.10.10.10|VOLUME=home|chdir|ok|chdir|/srv/samba/home/user/Thunderbird/Profiles/0jfaiuerm.default-release
Jun 15 17:04:51 smbserver smbd_audit: samba: 
IP=10.10.10.10|USER=SAMDOM\user|MACHINE=10.10.10.10|VOLUME=home|stat|ok|/srv/samba/home
Jun 15 17:04:51 smbserver smbd_audit: samba: 
IP=10.10.10.10|USER=SAMDOM\user|MACHINE=10.10.10.10|VOLUME=home|file_id_create|ok|64780:7340395:0
Jun 15 17:04:51 smbserver smbd_audit: samba: 
IP=10.10.10.10|USER=SAMDOM\user|MACHINE=10.10.10.10|VOLUME=home|stat|ok|/srv/samba/home/user/Thunderbird/Profiles/0jfaiuerm.default-release
Jun 15 17:04:51 smbserver smbd_audit: samba: 
IP=10.10.10.10|USER=SAMDOM\user|MACHINE=10.10.10.10|VOLUME=home|realpath|ok|/srv/samba/home/user/Thunderbird/Profiles/0jfaiuerm.default-release
Jun 15 17:04:51 smbserver smbd_audit: samba: 
IP=10.10.10.10|USER=SAMDOM\user|MACHINE=10.10.10.10|VOLUME=home|connectpath|ok|/srv/samba/home/user/Thunderbird/Profiles/0jfaiuerm.default-release
Jun 15 17:04:51 smbserver smbd_audit: samba: 
IP=10.10.10.10|USER=SAMDOM\user|MACHINE=10.10.10.10|VOLUME=home|openat|ok|r|/srv/samba/home/user/Thunderbird/Profiles/0jfaiuerm.default-release
Jun 15 17:04:51 smbserver smbd_audit: samba: 
IP=10.10.10.10|USER=SAMDOM\user|MACHINE=10.10.10.10|VOLUME=home|fstat|ok|/srv/samba/home/user/Thunderbird/Profiles/0jfaiuerm.default-release
Jun 15 17:04:51 smbserver smbd_audit: samba: 
IP=10.10.10.10|USER=SAMDOM\user|MACHINE=10.10.10.10|VOLUME=home|chdir|ok|chdir|/srv/samba/home
Jun 15 17:04:51 smbserver smbd_audit: samba: 
IP=10.10.10.10|USER=SAMDOM\user|MACHINE=10.10.10.10|VOLUME=home|stat|ok|/srv/samba/home/user/Thunderbird/Profiles/0jfaiuerm.default-release
Jun 15 17:04:51 smbserver smbd_audit: samba: 
IP=10.10.10.10|USER=SAMDOM\user|MACHINE=10.10.10.10|VOLUME=home|file_id_create|ok|64780:2:0
Jun 15 17:04:51 smbserver smbd_audit: samba: 
IP=10.10.10.10|USER=SAMDOM\user|MACHINE=10.10.10.10|VOLUME=home|stat|ok|/srv/samba/home
Jun 15 17:04:51 smbserver smbd_audit: samba: 
IP=10.10.10.10|USER=SAMDOM\user|MACHINE=10.10.10.10|VOLUME=home|file_id_create|ok|64780:7340395:0
Jun 15 17:04:51 smbserver smbd_audit: samba: 
IP=10.10.10.10|USER=SAMDOM\user|MACHINE=10.10.10.10|VOLUME=home|close|ok|/srv/samba/home/user/Thunderbird/Profiles/0jfaiuerm.default-release

Is there a mistake in the configuration?
Or is it expected behaviour?
Or perhaps a bug in 4.15.7?

- Kees

Rowland Penny

2022-Jun-15 16:12 UTC

head link

[Samba] full_audit logs way too much

On Wed, 2022-06-15 at 17:26 +0200, Kees van Vloten via samba
wrote:> Hi Team,
> 
> 
> I have enabled full_audit logging on a (domain-member) file-server 
> (running 4.15.7 from Louis on Bullseye)
> 
> [global]
>          log level = 3
>          full_audit:success = pwrite write rename
There have been changes, try replacing 'rename' with 'renameat'.
I think what is happening is that because 'rename is now an error, it
is defaulting to 'all'.

Rowland

samba - Jun 2022 - full_audit logs way too much

[Samba] full_audit logs way too much

[Samba] full_audit logs way too much