On Sun, 6 May 2018 20:05:20 +1000 Robin G <robinghere3 at gmail.com> wrote:> Hi Rowland, > here is the smb.conf. All shares have the full_audit > > [global] > workgroup = RESOLVS > netbios name = DC1 > security = USER > obey pam restrictions = yes > local master = yes > domain master = yes > preferred master = yes > domain logons = yes > os level = 50 > #### > > LDAP definitionsWhat LDAP definitions ???> > #### > > ### Logging > > syslog = 0 > log file = /var/log/samba/%m > Log level = 0 vfs:0 > max log size = 0 > full_audit:prefix = %u|%I|%S > full_audit:failure = none > full_audit:success = mkdir rmdir read pread write pwrite > rename unlink > full_audit:facility = local5 > full_audit:priority = notice > > > [homes] > create mask = 0700 > directory mask = 0700 > browseable = No > read only = No > path = %H > vfs objects = full_audit > > [data] > path = /srv/data > force group = allusers > read only = No > inherit permissions = Yes > hide unreadable = Yes > vfs objects = full_audit > >Try it like this: [global] ....... ..... ... vfs objects = full_audit full_audit:prefix = %u|%I|%S full_audit:failure = none full_audit:success = mkdir rmdir read pread write pwrite rename unlink full_audit:facility = local5 full_audit:priority = notice or like this: [global] ....... ..... ... vfs objects = full_audit [homes] create mask = 0700 directory mask = 0700 browseable = No read only = No path = %H full_audit:prefix = %u|%I|%S full_audit:failure = none full_audit:success = mkdir rmdir read pread write pwrite rename unlink full_audit:facility = local5 full_audit:priority = notice Rowland
Hi Rowland,
Thank you.
I tried both options. The following is using option 2
[global]
vfs objects = full_audit
[homes]
create mask = 0700
directory mask = 0700
browseable = No
read only = No
path = %H
full_audit:prefix = %u|%I|%S
full_audit:failure = none
full_audit:success = mkdir rmdir read pread write pwrite rename
unlink
full_audit:facility = local5
full_audit:priority = notice
and then did the tail -f audit.log , after restarting the smbd , nmbd and
rsyslog (which generated the audit.log file), nothing is being recorded. I
see some stuff in the log.machinename like
[2018/05/02 20:43:50.191504, 2] smbd/dosmode.c:114(unix_mode)
unix_mode(New folder (2)) inherit mode 40777
but not the audit.log
Just confirming, the /etc/rsyslog.d/00-samba-audit.conf
local5.notice /var/log/samba/audit.log
&~
cat /etc/rsyslog.d/50-default.conf
*.*;local5,auth,authpriv.none -/var/log/syslog
local5.notice /var/log/samba/audit.log
#cron.* /var/log/cron.log
#daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
#lpr.* -/var/log/lpr.log
mail.* -/var/log/mail.log
#user.* -/var/log/user.log
news.crit /var/log/news/news.crit
news.err /var/log/news/news.err
news.notice -/var/log/news/news.notice
The /etc/rsyslog.conf has the following
#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf
Am I missing something. The samba box in question is 4.3.x but I have also
tried this in an old Samba box (3.6.x)
On Sun, May 6, 2018 at 8:27 PM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Sun, 6 May 2018 20:05:20 +1000
> Robin G <robinghere3 at gmail.com> wrote:
>
> > Hi Rowland,
> > here is the smb.conf. All shares have the full_audit
> >
> > [global]
> > workgroup = RESOLVS
> > netbios name = DC1
> > security = USER
> > obey pam restrictions = yes
> > local master = yes
> > domain master = yes
> > preferred master = yes
> > domain logons = yes
> > os level = 50
> > ####
> >
> > LDAP definitions
>
> What LDAP definitions ???
>
> >
> > ####
> >
> > ### Logging
> >
> > syslog = 0
> > log file = /var/log/samba/%m
> > Log level = 0 vfs:0
> > max log size = 0
> > full_audit:prefix = %u|%I|%S
> > full_audit:failure = none
> > full_audit:success = mkdir rmdir read pread write pwrite
> > rename unlink
> > full_audit:facility = local5
> > full_audit:priority = notice
> >
> >
> > [homes]
> > create mask = 0700
> > directory mask = 0700
> > browseable = No
> > read only = No
> > path = %H
> > vfs objects = full_audit
> >
> > [data]
> > path = /srv/data
> > force group = allusers
> > read only = No
> > inherit permissions = Yes
> > hide unreadable = Yes
> > vfs objects = full_audit
> >
> >
>
> Try it like this:
>
> [global]
> .......
> .....
> ...
> vfs objects = full_audit
> full_audit:prefix = %u|%I|%S
> full_audit:failure = none
> full_audit:success = mkdir rmdir read pread write pwrite rename
> unlink
> full_audit:facility = local5
> full_audit:priority = notice
>
> or like this:
>
> [global]
> .......
> .....
> ...
> vfs objects = full_audit
>
> [homes]
> create mask = 0700
> directory mask = 0700
> browseable = No
> read only = No
> path = %H
> full_audit:prefix = %u|%I|%S
> full_audit:failure = none
> full_audit:success = mkdir rmdir read pread write pwrite rename
> unlink
> full_audit:facility = local5
> full_audit:priority = notice
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
I think the issue is permissions related. I changed the log location to /tmp/audit.log and now it is populating. What should be the permissions for /var/log/samba/audit.log? On Mon, May 7, 2018 at 12:29 AM, Robin G <robinghere3 at gmail.com> wrote:> Hi Rowland, > > Thank you. > > I tried both options. The following is using option 2 > [global] > vfs objects = full_audit > [homes] > create mask = 0700 > directory mask = 0700 > browseable = No > read only = No > path = %H > full_audit:prefix = %u|%I|%S > full_audit:failure = none > full_audit:success = mkdir rmdir read pread write pwrite rename > unlink > full_audit:facility = local5 > full_audit:priority = notice > > and then did the tail -f audit.log , after restarting the smbd , nmbd and > rsyslog (which generated the audit.log file), nothing is being recorded. I > see some stuff in the log.machinename like > > [2018/05/02 20:43:50.191504, 2] smbd/dosmode.c:114(unix_mode) > unix_mode(New folder (2)) inherit mode 40777 > > but not the audit.log > > Just confirming, the /etc/rsyslog.d/00-samba-audit.conf > local5.notice /var/log/samba/audit.log > &~ > > cat /etc/rsyslog.d/50-default.conf > *.*;local5,auth,authpriv.none -/var/log/syslog > local5.notice /var/log/samba/audit.log > #cron.* /var/log/cron.log > #daemon.* -/var/log/daemon.log > kern.* -/var/log/kern.log > #lpr.* -/var/log/lpr.log > mail.* -/var/log/mail.log > #user.* -/var/log/user.log > news.crit /var/log/news/news.crit > news.err /var/log/news/news.err > news.notice -/var/log/news/news.notice > > > > The /etc/rsyslog.conf has the following > # > # Include all config files in /etc/rsyslog.d/ > # > $IncludeConfig /etc/rsyslog.d/*.conf > > Am I missing something. The samba box in question is 4.3.x but I have also > tried this in an old Samba box (3.6.x) > > > > > > > > > > > > > > > > > > On Sun, May 6, 2018 at 8:27 PM, Rowland Penny via samba < > samba at lists.samba.org> wrote: > >> On Sun, 6 May 2018 20:05:20 +1000 >> Robin G <robinghere3 at gmail.com> wrote: >> >> > Hi Rowland, >> > here is the smb.conf. All shares have the full_audit >> > >> > [global] >> > workgroup = RESOLVS >> > netbios name = DC1 >> > security = USER >> > obey pam restrictions = yes >> > local master = yes >> > domain master = yes >> > preferred master = yes >> > domain logons = yes >> > os level = 50 >> > #### >> > >> > LDAP definitions >> >> What LDAP definitions ??? >> >> > >> > #### >> > >> > ### Logging >> > >> > syslog = 0 >> > log file = /var/log/samba/%m >> > Log level = 0 vfs:0 >> > max log size = 0 >> > full_audit:prefix = %u|%I|%S >> > full_audit:failure = none >> > full_audit:success = mkdir rmdir read pread write pwrite >> > rename unlink >> > full_audit:facility = local5 >> > full_audit:priority = notice >> > >> > >> > [homes] >> > create mask = 0700 >> > directory mask = 0700 >> > browseable = No >> > read only = No >> > path = %H >> > vfs objects = full_audit >> > >> > [data] >> > path = /srv/data >> > force group = allusers >> > read only = No >> > inherit permissions = Yes >> > hide unreadable = Yes >> > vfs objects = full_audit >> > >> > >> >> Try it like this: >> >> [global] >> ....... >> ..... >> ... >> vfs objects = full_audit >> full_audit:prefix = %u|%I|%S >> full_audit:failure = none >> full_audit:success = mkdir rmdir read pread write pwrite rename >> unlink >> full_audit:facility = local5 >> full_audit:priority = notice >> >> or like this: >> >> [global] >> ....... >> ..... >> ... >> vfs objects = full_audit >> >> [homes] >> create mask = 0700 >> directory mask = 0700 >> browseable = No >> read only = No >> path = %H >> full_audit:prefix = %u|%I|%S >> full_audit:failure = none >> full_audit:success = mkdir rmdir read pread write pwrite rename >> unlink >> full_audit:facility = local5 >> full_audit:priority = notice >> >> Rowland >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > >