On Sun, 6 May 2018 20:05:20 +1000 Robin G <robinghere3 at gmail.com> wrote:> Hi Rowland, > here is the smb.conf. All shares have the full_audit > > [global] > workgroup = RESOLVS > netbios name = DC1 > security = USER > obey pam restrictions = yes > local master = yes > domain master = yes > preferred master = yes > domain logons = yes > os level = 50 > #### > > LDAP definitionsWhat LDAP definitions ???> > #### > > ### Logging > > syslog = 0 > log file = /var/log/samba/%m > Log level = 0 vfs:0 > max log size = 0 > full_audit:prefix = %u|%I|%S > full_audit:failure = none > full_audit:success = mkdir rmdir read pread write pwrite > rename unlink > full_audit:facility = local5 > full_audit:priority = notice > > > [homes] > create mask = 0700 > directory mask = 0700 > browseable = No > read only = No > path = %H > vfs objects = full_audit > > [data] > path = /srv/data > force group = allusers > read only = No > inherit permissions = Yes > hide unreadable = Yes > vfs objects = full_audit > >Try it like this: [global] ....... ..... ... vfs objects = full_audit full_audit:prefix = %u|%I|%S full_audit:failure = none full_audit:success = mkdir rmdir read pread write pwrite rename unlink full_audit:facility = local5 full_audit:priority = notice or like this: [global] ....... ..... ... vfs objects = full_audit [homes] create mask = 0700 directory mask = 0700 browseable = No read only = No path = %H full_audit:prefix = %u|%I|%S full_audit:failure = none full_audit:success = mkdir rmdir read pread write pwrite rename unlink full_audit:facility = local5 full_audit:priority = notice Rowland
Hi Rowland, Thank you. I tried both options. The following is using option 2 [global] vfs objects = full_audit [homes] create mask = 0700 directory mask = 0700 browseable = No read only = No path = %H full_audit:prefix = %u|%I|%S full_audit:failure = none full_audit:success = mkdir rmdir read pread write pwrite rename unlink full_audit:facility = local5 full_audit:priority = notice and then did the tail -f audit.log , after restarting the smbd , nmbd and rsyslog (which generated the audit.log file), nothing is being recorded. I see some stuff in the log.machinename like [2018/05/02 20:43:50.191504, 2] smbd/dosmode.c:114(unix_mode) unix_mode(New folder (2)) inherit mode 40777 but not the audit.log Just confirming, the /etc/rsyslog.d/00-samba-audit.conf local5.notice /var/log/samba/audit.log &~ cat /etc/rsyslog.d/50-default.conf *.*;local5,auth,authpriv.none -/var/log/syslog local5.notice /var/log/samba/audit.log #cron.* /var/log/cron.log #daemon.* -/var/log/daemon.log kern.* -/var/log/kern.log #lpr.* -/var/log/lpr.log mail.* -/var/log/mail.log #user.* -/var/log/user.log news.crit /var/log/news/news.crit news.err /var/log/news/news.err news.notice -/var/log/news/news.notice The /etc/rsyslog.conf has the following # # Include all config files in /etc/rsyslog.d/ # $IncludeConfig /etc/rsyslog.d/*.conf Am I missing something. The samba box in question is 4.3.x but I have also tried this in an old Samba box (3.6.x) On Sun, May 6, 2018 at 8:27 PM, Rowland Penny via samba < samba at lists.samba.org> wrote:> On Sun, 6 May 2018 20:05:20 +1000 > Robin G <robinghere3 at gmail.com> wrote: > > > Hi Rowland, > > here is the smb.conf. All shares have the full_audit > > > > [global] > > workgroup = RESOLVS > > netbios name = DC1 > > security = USER > > obey pam restrictions = yes > > local master = yes > > domain master = yes > > preferred master = yes > > domain logons = yes > > os level = 50 > > #### > > > > LDAP definitions > > What LDAP definitions ??? > > > > > #### > > > > ### Logging > > > > syslog = 0 > > log file = /var/log/samba/%m > > Log level = 0 vfs:0 > > max log size = 0 > > full_audit:prefix = %u|%I|%S > > full_audit:failure = none > > full_audit:success = mkdir rmdir read pread write pwrite > > rename unlink > > full_audit:facility = local5 > > full_audit:priority = notice > > > > > > [homes] > > create mask = 0700 > > directory mask = 0700 > > browseable = No > > read only = No > > path = %H > > vfs objects = full_audit > > > > [data] > > path = /srv/data > > force group = allusers > > read only = No > > inherit permissions = Yes > > hide unreadable = Yes > > vfs objects = full_audit > > > > > > Try it like this: > > [global] > ....... > ..... > ... > vfs objects = full_audit > full_audit:prefix = %u|%I|%S > full_audit:failure = none > full_audit:success = mkdir rmdir read pread write pwrite rename > unlink > full_audit:facility = local5 > full_audit:priority = notice > > or like this: > > [global] > ....... > ..... > ... > vfs objects = full_audit > > [homes] > create mask = 0700 > directory mask = 0700 > browseable = No > read only = No > path = %H > full_audit:prefix = %u|%I|%S > full_audit:failure = none > full_audit:success = mkdir rmdir read pread write pwrite rename > unlink > full_audit:facility = local5 > full_audit:priority = notice > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
I think the issue is permissions related. I changed the log location to /tmp/audit.log and now it is populating. What should be the permissions for /var/log/samba/audit.log? On Mon, May 7, 2018 at 12:29 AM, Robin G <robinghere3 at gmail.com> wrote:> Hi Rowland, > > Thank you. > > I tried both options. The following is using option 2 > [global] > vfs objects = full_audit > [homes] > create mask = 0700 > directory mask = 0700 > browseable = No > read only = No > path = %H > full_audit:prefix = %u|%I|%S > full_audit:failure = none > full_audit:success = mkdir rmdir read pread write pwrite rename > unlink > full_audit:facility = local5 > full_audit:priority = notice > > and then did the tail -f audit.log , after restarting the smbd , nmbd and > rsyslog (which generated the audit.log file), nothing is being recorded. I > see some stuff in the log.machinename like > > [2018/05/02 20:43:50.191504, 2] smbd/dosmode.c:114(unix_mode) > unix_mode(New folder (2)) inherit mode 40777 > > but not the audit.log > > Just confirming, the /etc/rsyslog.d/00-samba-audit.conf > local5.notice /var/log/samba/audit.log > &~ > > cat /etc/rsyslog.d/50-default.conf > *.*;local5,auth,authpriv.none -/var/log/syslog > local5.notice /var/log/samba/audit.log > #cron.* /var/log/cron.log > #daemon.* -/var/log/daemon.log > kern.* -/var/log/kern.log > #lpr.* -/var/log/lpr.log > mail.* -/var/log/mail.log > #user.* -/var/log/user.log > news.crit /var/log/news/news.crit > news.err /var/log/news/news.err > news.notice -/var/log/news/news.notice > > > > The /etc/rsyslog.conf has the following > # > # Include all config files in /etc/rsyslog.d/ > # > $IncludeConfig /etc/rsyslog.d/*.conf > > Am I missing something. The samba box in question is 4.3.x but I have also > tried this in an old Samba box (3.6.x) > > > > > > > > > > > > > > > > > > On Sun, May 6, 2018 at 8:27 PM, Rowland Penny via samba < > samba at lists.samba.org> wrote: > >> On Sun, 6 May 2018 20:05:20 +1000 >> Robin G <robinghere3 at gmail.com> wrote: >> >> > Hi Rowland, >> > here is the smb.conf. All shares have the full_audit >> > >> > [global] >> > workgroup = RESOLVS >> > netbios name = DC1 >> > security = USER >> > obey pam restrictions = yes >> > local master = yes >> > domain master = yes >> > preferred master = yes >> > domain logons = yes >> > os level = 50 >> > #### >> > >> > LDAP definitions >> >> What LDAP definitions ??? >> >> > >> > #### >> > >> > ### Logging >> > >> > syslog = 0 >> > log file = /var/log/samba/%m >> > Log level = 0 vfs:0 >> > max log size = 0 >> > full_audit:prefix = %u|%I|%S >> > full_audit:failure = none >> > full_audit:success = mkdir rmdir read pread write pwrite >> > rename unlink >> > full_audit:facility = local5 >> > full_audit:priority = notice >> > >> > >> > [homes] >> > create mask = 0700 >> > directory mask = 0700 >> > browseable = No >> > read only = No >> > path = %H >> > vfs objects = full_audit >> > >> > [data] >> > path = /srv/data >> > force group = allusers >> > read only = No >> > inherit permissions = Yes >> > hide unreadable = Yes >> > vfs objects = full_audit >> > >> > >> >> Try it like this: >> >> [global] >> ....... >> ..... >> ... >> vfs objects = full_audit >> full_audit:prefix = %u|%I|%S >> full_audit:failure = none >> full_audit:success = mkdir rmdir read pread write pwrite rename >> unlink >> full_audit:facility = local5 >> full_audit:priority = notice >> >> or like this: >> >> [global] >> ....... >> ..... >> ... >> vfs objects = full_audit >> >> [homes] >> create mask = 0700 >> directory mask = 0700 >> browseable = No >> read only = No >> path = %H >> full_audit:prefix = %u|%I|%S >> full_audit:failure = none >> full_audit:success = mkdir rmdir read pread write pwrite rename >> unlink >> full_audit:facility = local5 >> full_audit:priority = notice >> >> Rowland >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > >