samba - Oct 2021 - vfs_full_audit only files modification

On Wed, Oct 06, 2021 at 08:13:27AM +0200, Janusz Bli?niak via samba
wrote:
>Hello all
>I would like to monitor which files and only files are really open, 
>create and modify on my samba shares. My bellow configuration would 
>have been works fine if there is a way to exclude information about 
>opening and closing folders.? For example when the mouse cursor is 
>over a folder, full_audit logs 'open' operations for every folder 
>inside, Windows probably checks the folders to calculated size and 
>show it in the tool-tip. It is similar with files, it is enough for 
>the mouse to be over the file for full_audit to log the operation e.g. 
>"| share_name | open | ok | r |".
>I try to log operation:
>pread, pwirte - but they don't return anything
>pread_recv, pread_send - works but they generate too much entries, 
>especially when the files are big
>open, close - generate logs as well for folders
>create_file - generate too many logs
>
>Is there a way to monitor really opened or modified files on samba 
>shares without logging redundant events?
Well the folders *are* really opened, that's the thing.
At the VFS layer, in order to list a directory (folder)
it must be opened.

You need to explain exactly what you mean by "really opened"
in a way that can translate into code.

W dniu 2021-10-06 o?18:20, Jeremy Allison via samba
pisze:
> On Wed, Oct 06, 2021 at 08:13:27AM +0200, Janusz Bli?niak via samba 
> wrote:
>> Hello all
>> I would like to monitor which files and only files are really open, 
>> create and modify on my samba shares. My bellow configuration would 
>> have been works fine if there is a way to exclude information about 
>> opening and closing folders.? For example when the mouse cursor is 
>> over a folder, full_audit logs 'open' operations for every
folder
>> inside, Windows probably checks the folders to calculated size and 
>> show it in the tool-tip. It is similar with files, it is enough for 
>> the mouse to be over the file for full_audit to log the operation 
>> e.g. "| share_name | open | ok | r |".
>> I try to log operation:
>> pread, pwirte - but they don't return anything
>> pread_recv, pread_send - works but they generate too much entries, 
>> especially when the files are big
>> open, close - generate logs as well for folders
>> create_file - generate too many logs
>>
>> Is there a way to monitor really opened or modified files on samba 
>> shares without logging redundant events?
>
> Well the folders *are* really opened, that's the thing.
> At the VFS layer, in order to list a directory (folder)
> it must be opened.
>
> You need to explain exactly what you mean by "really opened"
> in a way that can translate into code.
>
I would like to know which user has opened a file in order to read or 
edit it.
I know that the directory where the file is located must be opened, and 
that is clear to me
but I would like to exclude this information from the log because there 
is a lot of it, which makes the log unreadable.
Below are logs where I opened from Windows 10 
/mnt/test/Folder1/Folder1_1/file.ods on the? share "/mnt/test/"
I logged only operations: open, opendir
I thought "open" would only appear on files and "opendir" on
directories, but it's different.


Oct? 8 12:45:19 srv-test smbd_audit: ...|open|ok|r|/mnt/test
Oct? 8 12:45:19 srv-test smbd_audit: ...|open|ok|r|/mnt/test
Oct? 8 12:45:19 srv-test smbd_audit: ...|open|ok|r|/mnt/test
Oct? 8 12:45:19 srv-test smbd_audit: ...|opendir|ok|.
Oct? 8 12:45:19 srv-test smbd_audit: ...|open|ok|r|/mnt/test
Oct? 8 12:45:19 srv-test smbd_audit: ...|open|ok|r|/mnt/test
Oct? 8 12:45:19 srv-test smbd_audit: ...|open|ok|r|/mnt/test
Oct? 8 12:45:19 srv-test smbd_audit: ...|open|ok|r|/mnt/test
Oct? 8 12:45:20 srv-test smbd_audit: ...|open|ok|r|/mnt/test/file.odt
Oct? 8 12:45:20 srv-test smbd_audit: ...|open|ok|r|/mnt/test/file.odt
Oct? 8 12:45:21 srv-test smbd_audit: ...|open|ok|r|/mnt/test/Folder1
Oct? 8 12:45:21 srv-test smbd_audit: ...|open|ok|r|/mnt/test/Folder1
Oct? 8 12:45:21 srv-test smbd_audit: ...|open|ok|r|/mnt/test/Folder1
Oct? 8 12:45:21 srv-test smbd_audit: ...|open|ok|r|/mnt/test/Folder1
Oct? 8 12:45:21 srv-test smbd_audit: ...|open|ok|r|/mnt/test/Folder1
Oct? 8 12:45:21 srv-test smbd_audit: ...|open|ok|r|/mnt/test/Folder1
Oct? 8 12:45:21 srv-test smbd_audit: ...|open|ok|r|/mnt/test/Folder1
Oct? 8 12:45:21 srv-test smbd_audit: ...|open|ok|r|/mnt/test/Folder1
Oct? 8 12:45:22 srv-test smbd_audit: 
...|open|ok|r|/mnt/test/Folder1/Folder1_1
Oct? 8 12:45:22 srv-test smbd_audit: 
...|open|ok|r|/mnt/test/Folder1/Folder1_1
Oct? 8 12:45:22 srv-test smbd_audit: 
...|open|ok|r|/mnt/test/Folder1/Folder1_1
Oct? 8 12:45:22 srv-test smbd_audit: 
...|open|ok|r|/mnt/test/Folder1/Folder1_1
Oct? 8 12:45:22 srv-test smbd_audit: 
...|open|ok|r|/mnt/test/Folder1/Folder1_1
Oct? 8 12:45:22 srv-test smbd_audit: 
...|open|ok|r|/mnt/test/Folder1/Folder1_1
Oct? 8 12:45:22 srv-test smbd_audit: 
...|open|ok|r|/mnt/test/Folder1/Folder1_1
Oct? 8 12:45:22 srv-test smbd_audit: 
...|open|ok|r|/mnt/test/Folder1/Folder1_1
Oct? 8 12:45:23 srv-test smbd_audit: 
...|open|ok|r|/mnt/test/Folder1/Folder1_1/file.ods
Oct? 8 12:45:23 srv-test smbd_audit: ...|open|ok|r|/mnt/test
Oct? 8 12:45:23 srv-test smbd_audit: 
...|open|ok|r|/mnt/test/Folder1/Folder1_1
Oct? 8 12:45:23 srv-test smbd_audit: 
...|open|ok|r|/mnt/test/Folder1/Folder1_1
Oct? 8 12:45:23 srv-test smbd_audit: 
...|open|ok|r|/mnt/test/Folder1/Folder1_1
Oct? 8 12:45:23 srv-test smbd_audit: 
...|open|ok|r|/mnt/test/Folder1/Folder1_1
Oct? 8 12:45:23 srv-test smbd_audit: 
...|open|ok|r|/mnt/test/Folder1/Folder1_1
Oct? 8 12:45:23 srv-test smbd_audit: ...|open|ok|r|/mnt/test/Folder1
Oct? 8 12:45:23 srv-test smbd_audit: 
...|open|ok|w|/mnt/test/Folder1/Folder1_1/file.ods
Oct? 8 12:45:23 srv-test smbd_audit: ...|opendir|ok|.
Oct? 8 12:45:23 srv-test smbd_audit: 
...|open|ok|w|/mnt/test/Folder1/Folder1_1/.~lock.file.ods#
Oct? 8 12:45:23 srv-test smbd_audit: 
...|open|ok|r|/mnt/test/Folder1/Folder1_1
Oct? 8 12:45:23 srv-test smbd_audit: 
...|open|ok|r|/mnt/test/Folder1/Folder1_1
Oct? 8 12:45:23 srv-test smbd_audit: 
...|open|ok|r|/mnt/test/Folder1/Folder1_1/file.ods
Oct? 8 12:45:23 srv-test smbd_audit: ...|open|ok|r|/mnt/test
Oct? 8 12:45:23 srv-test smbd_audit: ...|open|ok|r|/mnt/test
Oct? 8 12:45:23 srv-test smbd_audit: 
...|open|ok|r|/mnt/test/Folder1/Folder1_1
Oct? 8 12:45:24 srv-test smbd_audit: ...|open|ok|r|/mnt/test
Oct? 8 12:45:24 srv-test smbd_audit: ...|open|ok|r|/mnt/test
Oct? 8 12:45:24 srv-test smbd_audit: ...|open|ok|r|/mnt/test/Folder1
Oct? 8 12:45:24 srv-test smbd_audit: ...|open|ok|r|/mnt/test/Folder1
Oct? 8 12:45:24 srv-test smbd_audit: 
...|open|ok|r|/mnt/test/Folder1/Folder1_1
Oct? 8 12:45:28 srv-test smbd_audit: ...|open|ok|r|/mnt/test
Oct? 8 12:45:28 srv-test smbd_audit: ...|open|ok|r|/mnt/test
Oct? 8 12:45:28 srv-test smbd_audit: ...|open|ok|r|/mnt/test/Folder1
Oct? 8 12:45:28 srv-test smbd_audit: ...|open|ok|r|/mnt/test/Folder1
Oct? 8 12:45:28 srv-test smbd_audit: 
...|open|ok|r|/mnt/test/Folder1/Folder1_1/.~lock.file.ods#
Oct? 8 12:45:28 srv-test smbd_audit: 
...|open|ok|r|/mnt/test/Folder1/Folder1_1
Oct? 8 12:45:28 srv-test smbd_audit: 
...|open|ok|r|/mnt/test/Folder1/Folder1_1
Oct? 8 12:45:28 srv-test smbd_audit: ...|open|ok|r|/mnt/test/Folder1

Instead of the above, I would like to get something like this

Oct? 8 12:45:23 srv-test smbd_audit: 
...|open|ok|r|/mnt/test/Folder1/Folder1_1/file.ods
Oct? 8 12:45:23 srv-test smbd_audit: 
...|open|ok|w|/mnt/test/Folder1/Folder1_1/file.ods
Oct? 8 12:45:23 srv-test smbd_audit: 
...|open|ok|w|/mnt/test/Folder1/Folder1_1/.~lock.file.ods#
-- 

Regards
Janusz