On Sat, 5 May 2018 11:11:21 -0300 "Ethy H. Brito via samba" <samba at lists.samba.org> wrote:> On Sat, 5 May 2018 23:40:47 +1000 > Robin G via samba <samba at lists.samba.org> wrote: > > ... > > > > full_audit:prefix = %u|%I|%S > > full_audit:failure = none > > full_audit:success = mkdir rmdir read pread write pwrite > > rename unlink > > full_audit:facility = local5 > > full_audit:priority = notice > > > > > > The following in /etc/rsyslog.d/00-samba-audit.conf > > local5.notice /var/log/samba/audit.log > > & ~ > > > > and the following in /etc/rsyslog.d/50-default.conf > > *.*;auth,authpriv.none -/var/log/syslog > > *.*;local5,auth,authpriv.none -/var/log/syslog > > local5.notice /var/log/samba/audit.log > > > > The samba service and rsyslog have been restarted multiple times > > > I think you may be missing > > vfs objects = full_audit > > in each and every share you want to monitor. > > Ethy > >You are guessing there and this isn't surprising, as the OP didn't give us the main piece of evidence, their smb.conf. Without this, anything suggested would be a guess. Rowland
Hi Rowland, here is the smb.conf. All shares have the full_audit [global] workgroup = RESOLVS netbios name = DC1 security = USER obey pam restrictions = yes local master = yes domain master = yes preferred master = yes domain logons = yes os level = 50 #### LDAP definitions #### ### Logging syslog = 0 log file = /var/log/samba/%m Log level = 0 vfs:0 max log size = 0 full_audit:prefix = %u|%I|%S full_audit:failure = none full_audit:success = mkdir rmdir read pread write pwrite rename unlink full_audit:facility = local5 full_audit:priority = notice [homes] create mask = 0700 directory mask = 0700 browseable = No read only = No path = %H vfs objects = full_audit [data] path = /srv/data force group = allusers read only = No inherit permissions = Yes hide unreadable = Yes vfs objects = full_audit Regards, Rob On Sun, May 6, 2018 at 12:20 AM, Rowland Penny via samba < samba at lists.samba.org> wrote:> On Sat, 5 May 2018 11:11:21 -0300 > "Ethy H. Brito via samba" <samba at lists.samba.org> wrote: > > > On Sat, 5 May 2018 23:40:47 +1000 > > Robin G via samba <samba at lists.samba.org> wrote: > > > > ... > > > > > > > full_audit:prefix = %u|%I|%S > > > full_audit:failure = none > > > full_audit:success = mkdir rmdir read pread write pwrite > > > rename unlink > > > full_audit:facility = local5 > > > full_audit:priority = notice > > > > > > > > > The following in /etc/rsyslog.d/00-samba-audit.conf > > > local5.notice /var/log/samba/audit.log > > > & ~ > > > > > > and the following in /etc/rsyslog.d/50-default.conf > > > *.*;auth,authpriv.none -/var/log/syslog > > > *.*;local5,auth,authpriv.none -/var/log/syslog > > > local5.notice /var/log/samba/audit.log > > > > > > The samba service and rsyslog have been restarted multiple times > > > > > > I think you may be missing > > > > vfs objects = full_audit > > > > in each and every share you want to monitor. > > > > Ethy > > > > > > You are guessing there and this isn't surprising, as the OP didn't give > us the main piece of evidence, their smb.conf. Without this, anything > suggested would be a guess. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On Sun, 6 May 2018 20:05:20 +1000 Robin G <robinghere3 at gmail.com> wrote:> Hi Rowland, > here is the smb.conf. All shares have the full_audit > > [global] > workgroup = RESOLVS > netbios name = DC1 > security = USER > obey pam restrictions = yes > local master = yes > domain master = yes > preferred master = yes > domain logons = yes > os level = 50 > #### > > LDAP definitionsWhat LDAP definitions ???> > #### > > ### Logging > > syslog = 0 > log file = /var/log/samba/%m > Log level = 0 vfs:0 > max log size = 0 > full_audit:prefix = %u|%I|%S > full_audit:failure = none > full_audit:success = mkdir rmdir read pread write pwrite > rename unlink > full_audit:facility = local5 > full_audit:priority = notice > > > [homes] > create mask = 0700 > directory mask = 0700 > browseable = No > read only = No > path = %H > vfs objects = full_audit > > [data] > path = /srv/data > force group = allusers > read only = No > inherit permissions = Yes > hide unreadable = Yes > vfs objects = full_audit > >Try it like this: [global] ....... ..... ... vfs objects = full_audit full_audit:prefix = %u|%I|%S full_audit:failure = none full_audit:success = mkdir rmdir read pread write pwrite rename unlink full_audit:facility = local5 full_audit:priority = notice or like this: [global] ....... ..... ... vfs objects = full_audit [homes] create mask = 0700 directory mask = 0700 browseable = No read only = No path = %H full_audit:prefix = %u|%I|%S full_audit:failure = none full_audit:success = mkdir rmdir read pread write pwrite rename unlink full_audit:facility = local5 full_audit:priority = notice Rowland