Hi :-)
This is cross-posted from Linux Questions where it has not been answered.
This Samba configuration does not put anything in
/var/log/samba/log.audit as expected. The messages are triplicated into
/var/log/{messages,syslog,user.log}.
Here is the global section of smb.conf created by testparm
smb.conf.source > smb.conf (no error messages)
===== smb.conf begins ====[global]
workgroup = ACUR
netbios name = LS1
server string = Server
map to guest = Bad User
syslog = 0
smb ports = 139
load printers = No
preferred master = Yes
domain master = Yes
wins support = Yes
remote announce = 10.8.0.6/ACUR 10.8.0.10/ACUR 10.8.0.14/ACUR
10.8.0.18/ACUR 10.8.0.22/ACUR 10.8.0.26/ACUR 10.8.0.30/ACUR
10.8.0.34/ACUR 10.8.0.38/ACUR 10.8.0.42/ACUR 10.8.0.46/ACUR
10.8.0.50/ACUR 10.8.0.54/ACUR 10.8.0.60/ACUR 10.8.0.64/ACUR 10.8.0.68/ACUR
vfs_full_audit:priority = NOTICE
vfs_full_audit:facility = LOCAL7
vfs_full_audit:failure = all
vfs_full_audit:success = all
vfs_full_audit:prefix = %u|%I|%S
guest ok = Yes
vfs objects = full_audit
===== smb.conf ends ====
Here is /etc/rsyslog.d/samba-audit.conf (first line wrapped)
===== samba-audit.conf begins ====if $syslogfacility-text == 'local7'
and $programname == 'smbd' then
/var/log/samba/log.audit
& ~
===== samba-audit.conf ends ====
The rsyslog and samba daemons were restarted.
After browsing a share using a WXP system,
/var/log/{messages,syslog,user.log} got messages but
/var/log/samba/log.audit was empty.
This on Debian squeeze with 2:3.5.6~dfsg-3squeeze6 and rsyslog 4.6.4-2.
