Skip to main content

Samba full_audit

(2016-11-07)

Problem

I'd like to log activity that my samba server is doing.

Solution

CentOS 6 Samba includes the vfs_full_audit module which will do what you want. Add to /etc/samba/smb.conf:

vfs objects = full_audit
full_audit:prefix = %u|%I|%m|%S
full_audit:success = mkdir rename unlink rmdir pwrite
full_audit:failure = none

...and restart.

(Source)

Other options should be visible through the vfs_full_audit man page.

Note: it may be tempting to add read the success list; you can do that, but on any non-trivial share it will quickly overwhelm the syslog (you might be interested in v5 rate limiting). Similarly adding all to the success list will overwhelm the syslog. The example here is one where you are interested in changes made, and don't care about non-change related access.