Web lists-archives.com

Re: [Samba] Samba Audit Logs




I think the issue is permissions related. I changed the log location to
/tmp/audit.log and now it is populating. What should be the permissions for
/var/log/samba/audit.log?

On Mon, May 7, 2018 at 12:29 AM, Robin G <robinghere3@xxxxxxxxx> wrote:

> Hi Rowland,
>
> Thank you.
>
> I tried both options. The following is using option 2
> [global]
>         vfs objects = full_audit
> [homes]
>         create mask = 0700
>         directory mask = 0700
>         browseable = No
>         read only = No
>         path = %H
>         full_audit:prefix = %u|%I|%S
>         full_audit:failure = none
>         full_audit:success = mkdir rmdir read pread write pwrite rename
> unlink
>         full_audit:facility = local5
>         full_audit:priority = notice
>
> and then did the tail -f audit.log , after restarting the smbd , nmbd and
> rsyslog (which generated the audit.log file), nothing is being recorded. I
> see some stuff in the log.machinename like
>
> [2018/05/02 20:43:50.191504,  2] smbd/dosmode.c:114(unix_mode)
>   unix_mode(New folder (2)) inherit mode 40777
>
> but not the audit.log
>
> Just confirming, the /etc/rsyslog.d/00-samba-audit.conf
> local5.notice /var/log/samba/audit.log
> &~
>
> cat /etc/rsyslog.d/50-default.conf
> *.*;local5,auth,authpriv.none -/var/log/syslog
> local5.notice /var/log/samba/audit.log
> #cron.*                         /var/log/cron.log
> #daemon.*                       -/var/log/daemon.log
> kern.*                          -/var/log/kern.log
> #lpr.*                          -/var/log/lpr.log
> mail.*                          -/var/log/mail.log
> #user.*                         -/var/log/user.log
> news.crit                       /var/log/news/news.crit
> news.err                        /var/log/news/news.err
> news.notice                     -/var/log/news/news.notice
>
>
>
> The /etc/rsyslog.conf has the following
> #
> # Include all config files in /etc/rsyslog.d/
> #
> $IncludeConfig /etc/rsyslog.d/*.conf
>
> Am I missing something. The samba box in question is 4.3.x but I have also
> tried this in an old Samba box (3.6.x)
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> On Sun, May 6, 2018 at 8:27 PM, Rowland Penny via samba <
> samba@xxxxxxxxxxxxxxx> wrote:
>
>> On Sun, 6 May 2018 20:05:20 +1000
>> Robin G <robinghere3@xxxxxxxxx> wrote:
>>
>> > Hi Rowland,
>> > here is the smb.conf. All shares have the full_audit
>> >
>> > [global]
>> >     workgroup = RESOLVS
>> >         netbios name = DC1
>> >         security = USER
>> >         obey pam restrictions = yes
>> >         local master = yes
>> >         domain master = yes
>> >         preferred master = yes
>> >         domain logons = yes
>> >         os level = 50
>> > ####
>> >
>> > LDAP definitions
>>
>> What LDAP definitions ???
>>
>> >
>> > ####
>> >
>> > ### Logging
>> >
>> >     syslog = 0
>> >     log file = /var/log/samba/%m
>> >     Log level = 0 vfs:0
>> >     max log size = 0
>> >     full_audit:prefix = %u|%I|%S
>> >         full_audit:failure = none
>> >         full_audit:success = mkdir rmdir read pread write pwrite
>> > rename unlink
>> >         full_audit:facility = local5
>> >         full_audit:priority = notice
>> >
>> >
>> > [homes]
>> >         create mask = 0700
>> >         directory mask = 0700
>> >         browseable = No
>> >         read only = No
>> >         path = %H
>> >         vfs objects = full_audit
>> >
>> > [data]
>> >         path = /srv/data
>> >         force group = allusers
>> >         read only = No
>> >         inherit permissions = Yes
>> >         hide unreadable = Yes
>> >         vfs objects = full_audit
>> >
>> >
>>
>> Try it like this:
>>
>> [global]
>> .......
>> .....
>> ...
>>         vfs objects = full_audit
>>         full_audit:prefix = %u|%I|%S
>>         full_audit:failure = none
>>         full_audit:success = mkdir rmdir read pread write pwrite rename
>> unlink
>>         full_audit:facility = local5
>>         full_audit:priority = notice
>>
>> or like this:
>>
>> [global]
>> .......
>> .....
>> ...
>>         vfs objects = full_audit
>>
>> [homes]
>>         create mask = 0700
>>         directory mask = 0700
>>         browseable = No
>>         read only = No
>>         path = %H
>>         full_audit:prefix = %u|%I|%S
>>         full_audit:failure = none
>>         full_audit:success = mkdir rmdir read pread write pwrite rename
>> unlink
>>         full_audit:facility = local5
>>         full_audit:priority = notice
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba