samba - Mar 2023 - full_audit syslog logging question

Running Samba 4.16.4 and having problems getting the vfs_full_audit module to
send anything to syslog. I can get it to log to a file, but nothing happens when
using syslog only.
Configuration looks like:

[global]
...
log level = 4
log file = /var/log/samba/log.%m
logging = syslog at 4
...

[foobar]
path = /foobar
vfs objects = full_audit streams_xattr acl_xattr
full_audit:priority = INFO
full_audit:facility = local5
full_audit:success = all
full_audit:failure = all
full_audit:prefix = %u|%I|%m|%S|%P



I have monitored the system port 514 with tcpdump and verify that nothing is
being sent out even when there is activity on the share (mount/unmount, list
directories, write/delete files).   If I switch it to "logging = syslog at
4 file", I can see the full_audit messages show up in the standard log
files for each client.

What is the magic that needs to happen to have full_audit actually send out a
syslog message?

The goal is to be sending these audit messages to an external log server via
rsyslogd configuration but rsyslogd never gets any messages because Samba doesnt
appear to be sending anything over syslog (514/udp).

thanks,
  Wyllys Ingersoll

In case anyone is interested, I found the problem.

I was running samba in a container that did not have any syslog service
(rsyslogd or syslog-ng) running.  By default, samba syslog only sends messages
to the system's syslog socket and there was nothing listening on it so the
messages just got dropped.  I put rsyslogd in the container and configured it to
listen on the syslog socket and am now able to forward the logs as desired.

Feature request:  add a syslog logging option in the [global] config section
that would allow a syslog destination address:port option to send logs elsewhere
without requiring a local syslog daemon to do it.

thanks!

________________________________
From: samba <samba-bounces at lists.samba.org> on behalf of Wyll Ingersoll
via samba <samba at lists.samba.org>
Sent: Friday, March 10, 2023 12:59 PM
To: samba at lists.samba.org <samba at lists.samba.org>
Subject: [Samba] full_audit syslog logging question


Running Samba 4.16.4 and having problems getting the vfs_full_audit module to
send anything to syslog. I can get it to log to a file, but nothing happens when
using syslog only.
Configuration looks like:

[global]
...
log level = 4
log file = /var/log/samba/log.%m
logging = syslog at 4
...

[foobar]
path = /foobar
vfs objects = full_audit streams_xattr acl_xattr
full_audit:priority = INFO
full_audit:facility = local5
full_audit:success = all
full_audit:failure = all
full_audit:prefix = %u|%I|%m|%S|%P



I have monitored the system port 514 with tcpdump and verify that nothing is
being sent out even when there is activity on the share (mount/unmount, list
directories, write/delete files).   If I switch it to "logging = syslog at
4 file", I can see the full_audit messages show up in the standard log
files for each client.

What is the magic that needs to happen to have full_audit actually send out a
syslog message?

The goal is to be sending these audit messages to an external log server via
rsyslogd configuration but rsyslogd never gets any messages because Samba doesnt
appear to be sending anything over syslog (514/udp).

thanks,
  Wyllys Ingersoll




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba