Web lists-archives.com

Re: [Samba] Samba Audit Logs




On Sat, 5 May 2018 23:40:47 +1000
Robin G via samba <samba@xxxxxxxxxxxxxxx> wrote:

...


> full_audit:prefix = %u|%I|%S
>         full_audit:failure = none
>         full_audit:success = mkdir rmdir read pread write pwrite rename
> unlink
>         full_audit:facility = local5
>         full_audit:priority = notice
> 
> 
> The following in /etc/rsyslog.d/00-samba-audit.conf
> local5.notice /var/log/samba/audit.log
> & ~
> 
> and the following in /etc/rsyslog.d/50-default.conf
> *.*;auth,authpriv.none           -/var/log/syslog
> *.*;local5,auth,authpriv.none           -/var/log/syslog
> local5.notice /var/log/samba/audit.log
> 
> The samba service and rsyslog have been restarted multiple times


I think you may be missing 

	vfs objects = full_audit

in each and every share you want to monitor.

Ethy


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba