Web lists-archives.com

Re: [Samba] Samba Audit Logs




Hi Rowland,

Thank you.

I tried both options. The following is using option 2
[global]
        vfs objects = full_audit
[homes]
        create mask = 0700
        directory mask = 0700
        browseable = No
        read only = No
        path = %H
        full_audit:prefix = %u|%I|%S
        full_audit:failure = none
        full_audit:success = mkdir rmdir read pread write pwrite rename
unlink
        full_audit:facility = local5
        full_audit:priority = notice

and then did the tail -f audit.log , after restarting the smbd , nmbd and
rsyslog (which generated the audit.log file), nothing is being recorded. I
see some stuff in the log.machinename like

[2018/05/02 20:43:50.191504,  2] smbd/dosmode.c:114(unix_mode)
  unix_mode(New folder (2)) inherit mode 40777

but not the audit.log

Just confirming, the /etc/rsyslog.d/00-samba-audit.conf
local5.notice /var/log/samba/audit.log
&~

cat /etc/rsyslog.d/50-default.conf
*.*;local5,auth,authpriv.none -/var/log/syslog
local5.notice /var/log/samba/audit.log
#cron.*                         /var/log/cron.log
#daemon.*                       -/var/log/daemon.log
kern.*                          -/var/log/kern.log
#lpr.*                          -/var/log/lpr.log
mail.*                          -/var/log/mail.log
#user.*                         -/var/log/user.log
news.crit                       /var/log/news/news.crit
news.err                        /var/log/news/news.err
news.notice                     -/var/log/news/news.notice



The /etc/rsyslog.conf has the following
#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf

Am I missing something. The samba box in question is 4.3.x but I have also
tried this in an old Samba box (3.6.x)

















On Sun, May 6, 2018 at 8:27 PM, Rowland Penny via samba <
samba@xxxxxxxxxxxxxxx> wrote:

> On Sun, 6 May 2018 20:05:20 +1000
> Robin G <robinghere3@xxxxxxxxx> wrote:
>
> > Hi Rowland,
> > here is the smb.conf. All shares have the full_audit
> >
> > [global]
> >     workgroup = RESOLVS
> >         netbios name = DC1
> >         security = USER
> >         obey pam restrictions = yes
> >         local master = yes
> >         domain master = yes
> >         preferred master = yes
> >         domain logons = yes
> >         os level = 50
> > ####
> >
> > LDAP definitions
>
> What LDAP definitions ???
>
> >
> > ####
> >
> > ### Logging
> >
> >     syslog = 0
> >     log file = /var/log/samba/%m
> >     Log level = 0 vfs:0
> >     max log size = 0
> >     full_audit:prefix = %u|%I|%S
> >         full_audit:failure = none
> >         full_audit:success = mkdir rmdir read pread write pwrite
> > rename unlink
> >         full_audit:facility = local5
> >         full_audit:priority = notice
> >
> >
> > [homes]
> >         create mask = 0700
> >         directory mask = 0700
> >         browseable = No
> >         read only = No
> >         path = %H
> >         vfs objects = full_audit
> >
> > [data]
> >         path = /srv/data
> >         force group = allusers
> >         read only = No
> >         inherit permissions = Yes
> >         hide unreadable = Yes
> >         vfs objects = full_audit
> >
> >
>
> Try it like this:
>
> [global]
> .......
> .....
> ...
>         vfs objects = full_audit
>         full_audit:prefix = %u|%I|%S
>         full_audit:failure = none
>         full_audit:success = mkdir rmdir read pread write pwrite rename
> unlink
>         full_audit:facility = local5
>         full_audit:priority = notice
>
> or like this:
>
> [global]
> .......
> .....
> ...
>         vfs objects = full_audit
>
> [homes]
>         create mask = 0700
>         directory mask = 0700
>         browseable = No
>         read only = No
>         path = %H
>         full_audit:prefix = %u|%I|%S
>         full_audit:failure = none
>         full_audit:success = mkdir rmdir read pread write pwrite rename
> unlink
>         full_audit:facility = local5
>         full_audit:priority = notice
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba