On 11-09-2023 18:49, d tbsky via samba wrote:> Kees van Vloten via samba<samba at lists.samba.org>
>>
>> Op 11-09-2023 om 12:14 schreef d tbsky via samba:
>>> Hi:
>>> today my user report one directory at the samba share
disappeared.
>>> I had create the vfs_full_audit like below:
>>>
>>> vfs objects = recycle full_audit
>>> full_audit:priority = notice
>>> full_audit:facility = local5
>>> full_audit:success = mkdirat renameat unlinkat
>>> full_audit:failure = none
>>> full_audit:prefix = %u|%I
>>>
>>> but I can not find the related log about the missing directory.
>>> normally I can find deleted/renamed files via the log. I wonder if
>>> there is some other vfs operations I should add for monitor
>>> directories?
>>>
>>> thanks a lot for your help!
>> Is your question, what full_audit property to add to see a missing
>> directory? What exactly do you want to see, the deletion or a failing
>> call that tries to read it or something else?
> Hi:
> sorry. I found the missing directory in the audit log. my user told
> me the incorrect information so it took me long time to check the log.
> I use vfs_full_audit in case when user can not find their stuff, I can
> understand what happened.
> however currently vfs_full_audit write too many useless data even with
> my current configuration above.
> for example it would log the data below:
>
> Sep 11 17:57:32 file smbd_audit[42497]: [2023/09/11 17:57:32.207301,
> 0] ../../lib/util/access.c:372(allow_access)
> Sep 11 17:57:32 file smbd_audit[42497]: Denied connection from
> 10.11.1.19 (10.11.1.19)
> Sep 11 17:57:34 file smbd_audit[42497]: [2023/09/11 17:57:34.265839,
> 0] ../../lib/util/access.c:372(allow_access)
> Sep 11 17:57:34 file smbd_audit[42497]: Denied connection from
> 10.11.1.19 (10.11.1.19)
> Sep 11 17:57:43 file smbd_audit[35644]: [2023/09/11 17:57:43.858408,
> 0] ../../source3/smbd/service.c:168(chdir_current_service)
> Sep 11 17:57:43 file smbd_audit[35644]: chdir_current_service:
> vfs_ChDir(/share/samba/home/h347) failed: Permission denied. Current
> token: uid=11270, gid=10515, 3 groups: 11270 10515 11292
>
> I hope it log only useful data like:
> Sep 11 17:37:03 file smbd_audit[35621]:
>
DOM\bb0809|10.11.11.130|renameat|ok|/share/samba/home/bb0809/a.doc|/share/samba/home/bb0809/B09E48D8.tmp
>
> I am use RHEL9. so by default the log data will flow from journald to
> rsyslog to the file I defined (/var/log/samba/audit.log). which make
> more useless data in the system.
> I tried to use samba configuration to make the work simple:
>
> log level = 1full_audit:1@/var/log/samba/audit.log
>
> but the log format is like below:
> [2023/09/11 18:04:10.938942, 1]
> ../../source3/modules/vfs_full_audit.c:643(do_log)
> DOM\h1701|10.99.6.175|unlinkat|ok|/share/samba/public/863B5E69.tmp
> [2023/09/11 18:04:21.948413, 1]
> ../../source3/modules/vfs_full_audit.c:643(do_log)
>
DOM\h1701|10.99.6.175|renameat|ok|/share/samba/public/a.xlsx|/share/samba/public/.recycle/h1701/a.xlsx
>
> I got additional "
../../source3/modules/vfs_full_audit.c:643(do_log)"
> for every log. it is really meaningless since the log file is made
> only for "vfs_full_audit".
>
> so I am thinking about how to get rid of the useless log data. maybe I
> should filter them out via rsyslog and forget about the garbage at
> jounrald. but it is much better if the logging won't goto journald at
> the beginning.
You have already set it to log to rsyslog to the local5 facility, all
you have to do is configure rsyslog to write samba audit logs to
/var/log/samba/audit.log. Put something like this:
:programname, startswith, "smbd_audit" {
?-/var/log/samba/audit_smb.log
?stop
}
in /etc/rsyslog.d/samba_audit_smb.conf and restart rsyslog (disclaimer
this is tested on debian, I don't have redhat)
If it is still too noisy you add additional filtering in the rsyslog
conf file.
- Kees.
> below is my smb.conf. I think many useless data come from " hosts
> allow" definition.
>
> [global]
> workgroup = DOM
> netbios name = file
> realm = AD.DOM.COM
> security = ads
> idmap config *:backend = tdb
> idmap config *:range = 5000-9999
> idmap config DOM:ackend = rid
> idmap config DOM:range = 10000-999999
> idmap config DOM:unix_primary_group = yes
> template homedir = /share/samba/home/%U
> template shell = /bin/false
> winbind enum users = yes
> winbind enum groups = yes
> winbind nested groups = yes
> winbind use default domain = yes
> ntlm auth = ntlmv1-permitted
> server min protocol = NT1
> veto files = /.DS_Store/._.DS_Store/
>
> # disable printing
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
>
> vfs objects = recycle full_audit
> # audit setting
> full_audit:priority = notice
> full_audit:facility = local5
> full_audit:success = mkdirat renameat unlinkat
> full_audit:failure = none
> full_audit:prefix = %u|%I
>
> [in]
> path = /share/samba/public/in
> read only = No
> create mask = 0775
> force create mode = 0775
> directory mask = 0775
> hide unreadable = No
>
> # recycle bin
> recycle:keeptree = yes
> recycle:versions = yes
> recycle:touch = yes
> recycle:repository = .recycle/%U
> recycle:exclude = *.tmp,*.temp,*.o,*.obj,*.TMP,*.TEMP
> recycle:noversions = *.tmp,*.temp,*.o,*.obj,*.TMP,*.TEMP
>
> hosts allow = 10.11.11. 10.11.253. 10.11.100.0/255.255.255.192
> 10.12.1.160 10.11.249.
>
> [out]
> path = /share/samba/public/out
> read only = No
> create mask = 0775
> force create mode = 0775
> directory mask = 0775
> hide unreadable = No
>
> # recycle bin
> recycle:keeptree = yes
> recycle:versions = yes
> recycle:touch = yes
> recycle:repository = .recycle/%U
> recycle:exclude = *.tmp,*.temp,*.o,*.obj,*.TMP,*.TEMP
> recycle:noversions = *.tmp,*.temp,*.o,*.obj,*.TMP,*.TEMP
>
> hosts allow = 10.11.100. 10.11.253.
>
> [mis]
> path = /share/samba/public/mis
> read only = No
> create mask = 0775
> force create mode = 0775
> directory mask = 0775
> hide unreadable = No
>
> [mis$]
> path = /share/samba/public/mis
> read only = Yes
> browseable = No
>
> [homes]
> read only = No
> browseable = No
>
> # recycle bin
> recycle:keeptree = yes
> recycle:versions = yes
> recycle:touch = yes
> recycle:repository = .recycle
> recycle:exclude = *.tmp,*.temp,*.o,*.obj,*.TMP,*.TEMP
> recycle:noversions = *.tmp,*.temp,*.o,*.obj,*.TMP,*.TEMP
>
> hosts allow = 10.11.11. 10.11.253. 10.10.10.
10.11.100.0/255.255.255.192
>