For When You Can't Have The Real Thing
[ start | index | login ]
start > CentOS > 6 > samba > Samba full_audit

Samba full_audit

Created by dave. Last edited by dave, 7 years and 132 days ago. Viewed 2,940 times. #1
[edit] [rdf]
labels
attachments
(2016-11-07)

Problem

I'd like to log activity that my samba server is doing.

Solution

CentOS 6 Samba includes the vfs_full_audit module which will do what you want. Add to /etc/samba/smb.conf:

vfs objects = full_audit
full_audit:prefix = %u|%I|%m|%S
full_audit:success = mkdir rename unlink rmdir pwrite
full_audit:failure = none

...and restart.

(>>Source)

Other options should be visible through the vfs_full_audit man page.

Note: it may be tempting to add read the success list; you can do that, but on any non-trivial share it will quickly overwhelm the syslog (you might be interested in v5 rate limiting). Similarly adding all to the success list will overwhelm the syslog. The example here is one where you are interested in changes made, and don't care about non-change related access.

no comments | post comment
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.

Useful:


snipsnap.org | Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt