me at electronico.nc
2013-Nov-05 04:54 UTC
[Samba] 4.1.0 auditing : can't get only wanted vfs operations to log
HI all, So I'd like to log the user's operations on some shares. As I need to know who made what when. I'd read a previous answer from Andrew about auditing, so I can see loggued operations. Modified smb.conf :> [global] > vfs objects = dfs_samba4, acl_xattr, full_audit > full_audit:success =none > full_audit:failure = noneshare is :> [journal] > path = /media/data/journal > read only = No > full_audit:prefix = %u|%I|%S > full_audit:success = mkdir rmdir write rename > full_audit:failure = none > full_audit:facility = local5 > full_audit:priority = NOTICEBut I still got things like this in syslog :> Nov 5 15:40:55 serveur smbd_audit: > DOMAIN\romain|10.10.20.209|journal|*pread|ok*|2013-11-04/matin/test.doc > Nov 5 15:40:55 serveur smbd_audit: > DOMAIN\romain|10.10.20.209|journal|*aio_force|fail > (Succ?s)*|2013-11-04/matin/test.doc > Nov 5 15:40:55 serveur smbd_audit: > DOMAIN\romain|10.10.20.209|journal|*pread|ok*|2013-11-04/matin/test.doc > Nov 5 15:40:55 serveur smbd_audit: > DOMAIN\romain|10.10.20.209|journal|close|ok|2013-11-04/matin/test.doc > Nov 5 15:40:55 serveur smbd_audit: > DOMAIN\romain|10.10.20.209|journal|*is_offline|fail (Op?ration non > support?e)*|2013-11-04/matin/test.doc > Nov 5 15:40:55 serveur smbd_audit: > DOMAIN\romain|10.10.20.209|journal|open|ok|w|2013-11-04/matin/test.doc > Nov 5 15:40:55 serveur smbd_audit: > DOMAIN\romain|10.10.20.209|journal|is_offline|fail (Op?ration non > support?e)|2013-11-04/matin/test.doc > Nov 5 15:44:46 serveur smbd_audit: > DOMAIN\romain|10.10.20.209|journal|*stat|fail (Aucun fichier ou > dossier de ce type)*|2013-11-04/desktop.ini > Nov 5 15:44:46 serveur smbd_audit: > DOMAIN\romain|10.10.20.209|journal|*get_real_filename|fail (Op?ration > non support?e)*|2013-11-04/desktop.ini->(null) > Nov 5 15:44:46 serveur smbd_audit: > DOMAIN\romain|10.10.20.209|journal|opendir|ok|2013-11-04 > Nov 5 15:44:46 serveur smbd_audit: > DOMAIN\romain|10.10.20.209|journal|*translate_name|fail (Op?ration non > support?e)*|I have googled and found this page ( http://www.samba.org/samba/docs/man/manpages-3/vfs_full_audit.8.html ). I don't understand why all theses unwanted VFS operations are loggued. There might be other solutions to proceed, I'm opened to any suggestion ! Thanks in advance for your time. Nicolas
me at electronico.nc
2013-Nov-05 07:33 UTC
[Samba] 4.1.0 auditing : can't get only wanted vfs operations to log // solved
Le 05/11/2013 15:54, me at electronico.nc a ?crit :> HI all, > > So I'd like to log the user's operations on some shares. > As I need to know who made what when. > I'd read a previous answer from Andrew about auditing, so I can see > loggued operations. > > Modified smb.conf : >> [global] >> vfs objects = dfs_samba4, acl_xattr, full_audit >> full_audit:success =none >> full_audit:failure = none > > share is : >> [journal] >> path = /media/data/journal >> read only = No >> full_audit:prefix = %u|%I|%S >> full_audit:success = mkdir rmdir write rename >> full_audit:failure = none >> full_audit:facility = local5 >> full_audit:priority = NOTICE > But I still got things like this in syslog : >> Nov 5 15:40:55 serveur smbd_audit: >> DOMAIN\romain|10.10.20.209|journal|*pread|ok*|2013-11-04/matin/test.doc >> Nov 5 15:40:55 serveur smbd_audit: >> DOMAIN\romain|10.10.20.209|journal|*aio_force|fail >> (Succ?s)*|2013-11-04/matin/test.doc >> Nov 5 15:40:55 serveur smbd_audit: >> DOMAIN\romain|10.10.20.209|journal|*pread|ok*|2013-11-04/matin/test.doc >> Nov 5 15:40:55 serveur smbd_audit: >> DOMAIN\romain|10.10.20.209|journal|close|ok|2013-11-04/matin/test.doc >> Nov 5 15:40:55 serveur smbd_audit: >> DOMAIN\romain|10.10.20.209|journal|*is_offline|fail (Op?ration non >> support?e)*|2013-11-04/matin/test.doc >> Nov 5 15:40:55 serveur smbd_audit: >> DOMAIN\romain|10.10.20.209|journal|open|ok|w|2013-11-04/matin/test.doc >> Nov 5 15:40:55 serveur smbd_audit: >> DOMAIN\romain|10.10.20.209|journal|is_offline|fail (Op?ration non >> support?e)|2013-11-04/matin/test.doc >> Nov 5 15:44:46 serveur smbd_audit: >> DOMAIN\romain|10.10.20.209|journal|*stat|fail (Aucun fichier ou >> dossier de ce type)*|2013-11-04/desktop.ini >> Nov 5 15:44:46 serveur smbd_audit: >> DOMAIN\romain|10.10.20.209|journal|*get_real_filename|fail (Op?ration >> non support?e)*|2013-11-04/desktop.ini->(null) >> Nov 5 15:44:46 serveur smbd_audit: >> DOMAIN\romain|10.10.20.209|journal|opendir|ok|2013-11-04 >> Nov 5 15:44:46 serveur smbd_audit: >> DOMAIN\romain|10.10.20.209|journal|*translate_name|fail (Op?ration >> non support?e)*| > I have googled and found this page ( > http://www.samba.org/samba/docs/man/manpages-3/vfs_full_audit.8.html ). > I don't understand why all theses unwanted VFS operations are loggued. > > There might be other solutions to proceed, I'm opened to any suggestion ! > Thanks in advance for your time. > Nicolas > >It turns out that Samba needs to be *RESTARTED* and not only reloaded to take care of these modifications. Nicolas