samba - Sep 2004 - Audit

Hello,
I'm using Samba 3.0.7, and I'd like to keep logs of open/delete/etc.
files, to be able to tell which user accessed a particular file at a
certain moment, and so on.

Samba logs are a bit confusing for this purpose.
I thought the audit VFS module was best suited for the task, but I
encountered some problems:

1. it does not clearly report which user did each action. Ok, it reports
the PID, which could _maybe_ be put in relation with the user by searching
in smbd logs, but it's uneasy.

2. It outputs lots of stuff, cluttering syslog. Ok, I can use syslog
config to filter user.notice events in a different file, but this does not
prevent syslog from becoming cluttered. Moreover, I tried this, and the
file where I redirected the output grew up to more than 200 MB in a couple
of days! :(

3. I'm now trying extd_audit, but the result seems more or less the same,
if not even worse, as it also clutters Samba logs with its output.

4. I've noticed the presence of a "full_audit" module in my
installation,
without any docs. I had a look at the source, it contains some docs, and
it seems interesting, but the docs do not list all available arguments for
its options, and when trying to use it in smb.conf I get some fatal errors
when starting Samba (sorry, cannot report the exact errors at the moment).

Can anyone shed some light on the subject?
Thanks a lot.

-- 
Ciao,
  Marco.

..."Homogenic", Bj?rk 1997

hi, i have something like this in the logs
[2004/04/22 08:35:55, 2] smbd/open.c:open_file(240)
   tanrit opened file tanrit/Vorlagen/winword2.doc read=Yes write=No 
(numopen=5)
  so its user time file what else do you miss?
after all youre right grep this is much work and will produce
a lot of big files , if you want to automatic monitor all this
actions

But i had also my problems

i tried to set
/var/log/samba/%U.%m.log
to have user at machine log but this fails, i guess of massive logging 
actions,
i would like to see a parameter in samba like this
log file commun = ...
log file user log file machine 
perhaps someone of the gurus may implement this some day.



---these are my normal entires
log level = 2
syslog = 0
log file = /var/log/samba/%m.log
max log size = 100000
----
in the shares i have the audit module enabled

Regards

Marco De Vitis schrieb:
> Hello,
> I'm using Samba 3.0.7, and I'd like to keep logs of
open/delete/etc.
> files, to be able to tell which user accessed a particular file at a
> certain moment, and so on.
> 
> Samba logs are a bit confusing for this purpose.
> I thought the audit VFS module was best suited for the task, but I
> encountered some problems:
> 
> 1. it does not clearly report which user did each action. Ok, it reports
> the PID, which could _maybe_ be put in relation with the user by searching
> in smbd logs, but it's uneasy.
> 
> 2. It outputs lots of stuff, cluttering syslog. Ok, I can use syslog
> config to filter user.notice events in a different file, but this does not
> prevent syslog from becoming cluttered. Moreover, I tried this, and the
> file where I redirected the output grew up to more than 200 MB in a couple
> of days! :(
> 
> 3. I'm now trying extd_audit, but the result seems more or less the
same,
> if not even worse, as it also clutters Samba logs with its output.
> 
> 4. I've noticed the presence of a "full_audit" module in my
installation,
> without any docs. I had a look at the source, it contains some docs, and
> it seems interesting, but the docs do not list all available arguments for
> its options, and when trying to use it in smb.conf I get some fatal errors
> when starting Samba (sorry, cannot report the exact errors at the moment).
> 
> Can anyone shed some light on the subject?
> Thanks a lot.
>