Hi, We have full_audit configured like this, for testing:> [global] > > # full_audit:success = mkdirat renameat unlinkat open connect > full_audit:success = none > # full_audit:failure = mkdirat renameat unlinkat connect > full_audit:failure = none > full_audit:prefix = IP=%I | USER=%u | MACHINE=%m | VOLUME=%S > full_audit:facility = local7 > full_audit:priority = NOTICEWe set both success and failure temporarily to NONE, since our (original, commented out) full_audit config was causing way to much traffic. So we set everything to NONE expecting that nothing would be logged, and we could slowly enable specific items again, and monitor. However, much to our surprise with the above full_audit NONE config, full_audit is still generating *a lot* of logging, like this:> Jun 28 14:29:13 memberserver smbd_audit[16214]: IP=192.168.89.4 | USER=SAMDOM\username | MACHINE=desktop-9piq0bp | VOLUME=username|sys_acl_get_file|ok|/home/username > Jun 28 14:29:13 memberserver smbd_audit[16214]: IP=192.168.89.4 | USER=SAMDOM\username | MACHINE=desktop-9piq0bp | VOLUME=username|getxattr|fail (No data available)|/home/username|user.SAMBA_PAI > Jun 28 14:29:13 memberserver smbd_audit[16214]: IP=192.168.89.4 | USER=SAMDOM\username | MACHINE=desktop-9piq0bp | VOLUME=username|get_nt_acl_at|ok|/home/username > Jun 28 14:29:13 memberserver smbd_audit[16214]: IP=192.168.89.4 | USER=SAMDOM\username | MACHINE=desktop-9piq0bp | VOLUME=username|fs_file_id|ok|1074561160 > Jun 28 14:29:13 memberserver smbd_audit[16214]: IP=192.168.89.4 | USER=SAMDOM\username | MACHINE=desktop-9piq0bp | VOLUME=username|get_alloc_size|ok|0 > Jun 28 14:29:13 memberserver smbd_audit[16214]: IP=192.168.89.4 | USER=SAMDOM\username | MACHINE=desktop-9piq0bp | VOLUME=username|close|ok|/home/username > Jun 28 14:29:13 memberserver smbd_audit[16214]: IP=192.168.89.4 | USER=SAMDOM\username | MACHINE=desktop-9piq0bp | VOLUME=username|stat|ok|/home/username > Jun 28 14:29:13 memberserver smbd_audit[16214]: IP=192.168.89.4 | USER=SAMDOM\username | MACHINE=desktop-9piq0bp | VOLUME=username|getxattr|fail (No data available)|/home/username|user.DOSATTRIB > Jun 28 14:29:13 memberserver smbd_audit[16214]: IP=192.168.89.4 | USER=SAMDOM\username | MACHINE=desktop-9piq0bp | VOLUME=username|get_dos_attributes|fail (No data available)|/home/username > Jun 28 14:29:13 memberserver smbd_audit[16214]: IP=192.168.89.4 | USER=SAMDOM\username | MACHINE=desktop-9piq0bp | VOLUME=username|get_alloc_size|ok|0 > > Jun 28 14:33:35 memberserver smbd_audit[16214]: IP=192.168.89.4 | USER=SAMDOM\username | MACHINE=desktop-9piq0bp | VOLUME=username|sys_acl_get_file|ok|/home/username/certificates/strategic plan > Jun 28 14:33:35 memberserver smbd_audit[16214]: IP=192.168.89.4 | USER=SAMDOM\username | MACHINE=desktop-9piq0bp | VOLUME=username|sys_acl_get_file|ok|/home/username/certificates/strategic plan > Jun 28 14:33:35 memberserver smbd_audit[16214]: IP=192.168.89.4 | USER=SAMDOM\username | MACHINE=desktop-9piq0bp | VOLUME=username|getxattr|fail (No data available)|/home/username/certificates/strategic plan|user.SAMBA_PAI > Jun 28 14:33:35 memberserver smbd_audit[16214]: IP=192.168.89.4 | USER=SAMDOM\username | MACHINE=desktop-9piq0bp | VOLUME=username|get_nt_acl_at|ok|/home/username/certificates/strategic plan > Jun 28 14:33:35 memberserver smbd_audit[16214]: IP=192.168.89.4 | USER=SAMDOM\username | MACHINE=desktop-9piq0bp | VOLUME=username|get_alloc_size|ok|0 > Jun 28 14:33:35 memberserver smbd_audit[16214]: IP=192.168.89.4 | USER=SAMDOM\username | MACHINE=desktop-9piq0bp | VOLUME=username|close|ok|/home/username/certificates/strategic plan > Jun 28 14:33:35 memberserver smbd_audit[16214]: IP=192.168.89.4 | USER=SAMDOM\username | MACHINE=desktop-9piq0bp | VOLUME=username|stat|ok|/home/username/certificates/strategic plan > Jun 28 14:33:35 memberserver smbd_audit[16214]: IP=192.168.89.4 | USER=SAMDOM\username | MACHINE=desktop-9piq0bp | VOLUME=username|getxattr|ok|/home/username/certificates/strategic plan|user.DOSATTRIB > Jun 28 14:33:35 memberserver smbd_audit[16214]: IP=192.168.89.4 | USER=SAMDOM\username | MACHINE=desktop-9piq0bp | VOLUME=username|get_dos_attributes|ok|/home/username/certificates/strategic plan > Jun 28 14:33:35 memberserver smbd_audit[16214]: IP=192.168.89.4 | USER=SAMDOM\username | MACHINE=desktop-9piq0bp | VOLUME=username|get_alloc_size|ok|0I tried adding !get_alloc_size !sys_acl_get_file !getxattr to the full_audit:success config but it just does goes on. Can anyone explain what we are doing wrong? This is on 4.13.7 Thanks! MJ
On 28.06.2021 14:54, mj via samba wrote:> Hi, > > We have full_audit configured like this, for testing: > >> [global] >> >> #??? full_audit:success = mkdirat renameat unlinkat open connect >> ??? full_audit:success = none >> #??? full_audit:failure = mkdirat renameat unlinkat connect >> ??? full_audit:failure = none >> ??? full_audit:prefix = IP=%I | USER=%u | MACHINE=%m | VOLUME=%S >> ??? full_audit:facility = local7 >> ??? full_audit:priority = NOTICE > > We set both success and failure temporarily to NONE, since our > (original, commented out) full_audit config was causing way to much > traffic. > > So we set everything to NONE expecting that nothing would be logged, and > we could slowly enable specific items again, and monitor. > > However, much to our surprise with the above full_audit NONE config, > full_audit is still generating *a lot* of logging, like this:The same is over here after upgrading to 4.12.15 and eventually to 4.13.8. It seems full_audit:success and full_audit:failure accept only NONE. Any other then NONE fallback to ALL. vfs_full_audit is unusable in 4.12 and 4.13 and fallback to 4.11. Cheers, Oleg