Hi,
My apologies if this isn't the right place to ask this question.
We have trying to setup auditing in Samba but can't seem to get it to work.
The audit log file is empty and we see some entries about file/folders in
the /var/log/samba/%m but not the actual audit bits. Can someone please
assist or point in the correct direction?
syslog = 0
log file = /var/log/samba/%m
Log level = 0 vfs:0
max log size = 0
full_audit:prefix = %u|%I|%S
full_audit:failure = none
full_audit:success = mkdir rmdir read pread write pwrite rename
unlink
full_audit:facility = local5
full_audit:priority = notice
The following in /etc/rsyslog.d/00-samba-audit.conf
local5.notice /var/log/samba/audit.log
& ~
and the following in /etc/rsyslog.d/50-default.conf
*.*;auth,authpriv.none -/var/log/syslog
*.*;local5,auth,authpriv.none -/var/log/syslog
local5.notice /var/log/samba/audit.log
The samba service and rsyslog have been restarted multiple times
Thank you,
Rob
On Sat, 5 May 2018 23:40:47 +1000 Robin G via samba <samba at lists.samba.org> wrote: ...> full_audit:prefix = %u|%I|%S > full_audit:failure = none > full_audit:success = mkdir rmdir read pread write pwrite rename > unlink > full_audit:facility = local5 > full_audit:priority = notice > > > The following in /etc/rsyslog.d/00-samba-audit.conf > local5.notice /var/log/samba/audit.log > & ~ > > and the following in /etc/rsyslog.d/50-default.conf > *.*;auth,authpriv.none -/var/log/syslog > *.*;local5,auth,authpriv.none -/var/log/syslog > local5.notice /var/log/samba/audit.log > > The samba service and rsyslog have been restarted multiple timesI think you may be missing vfs objects = full_audit in each and every share you want to monitor. Ethy
On Sat, 5 May 2018 11:11:21 -0300 "Ethy H. Brito via samba" <samba at lists.samba.org> wrote:> On Sat, 5 May 2018 23:40:47 +1000 > Robin G via samba <samba at lists.samba.org> wrote: > > ... > > > > full_audit:prefix = %u|%I|%S > > full_audit:failure = none > > full_audit:success = mkdir rmdir read pread write pwrite > > rename unlink > > full_audit:facility = local5 > > full_audit:priority = notice > > > > > > The following in /etc/rsyslog.d/00-samba-audit.conf > > local5.notice /var/log/samba/audit.log > > & ~ > > > > and the following in /etc/rsyslog.d/50-default.conf > > *.*;auth,authpriv.none -/var/log/syslog > > *.*;local5,auth,authpriv.none -/var/log/syslog > > local5.notice /var/log/samba/audit.log > > > > The samba service and rsyslog have been restarted multiple times > > > I think you may be missing > > vfs objects = full_audit > > in each and every share you want to monitor. > > Ethy > >You are guessing there and this isn't surprising, as the OP didn't give us the main piece of evidence, their smb.conf. Without this, anything suggested would be a guess. Rowland