Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] 4.1.0 auditing : can't get only wanted vfs operations to log
171 views
Skip to first unread message
m...@electronico.nc
Nov 5, 2013, 12:00:01 AM11/5/13
to
HI all,
So I'd like to log the user's operations on some shares.
As I need to know who made what when.
I'd read a previous answer from Andrew about auditing, so I can see
loggued operations.
Modified smb.conf :
> [global]
> vfs objects = dfs_samba4, acl_xattr, full_audit
> full_audit:success =none
> full_audit:failure = none
share is :
> [journal]
> path = /media/data/journal
> read only = No
> full_audit:prefix = %u|%I|%S
> full_audit:success = mkdir rmdir write rename
> full_audit:failure = none
> full_audit:facility = local5
> full_audit:priority = NOTICE
But I still got things like this in syslog :
> Nov 5 15:40:55 serveur smbd_audit:
> DOMAIN\romain|10.10.20.209|journal|*pread|ok*|2013-11-04/matin/test.doc
> Nov 5 15:40:55 serveur smbd_audit:
> DOMAIN\romain|10.10.20.209|journal|*aio_force|fail
> (Succès)*|2013-11-04/matin/test.doc
> Nov 5 15:40:55 serveur smbd_audit:
> DOMAIN\romain|10.10.20.209|journal|*pread|ok*|2013-11-04/matin/test.doc
> Nov 5 15:40:55 serveur smbd_audit:
> DOMAIN\romain|10.10.20.209|journal|close|ok|2013-11-04/matin/test.doc
> Nov 5 15:40:55 serveur smbd_audit:
> DOMAIN\romain|10.10.20.209|journal|*is_offline|fail (Opération non
> supportée)*|2013-11-04/matin/test.doc
> Nov 5 15:40:55 serveur smbd_audit:
> DOMAIN\romain|10.10.20.209|journal|open|ok|w|2013-11-04/matin/test.doc
> Nov 5 15:40:55 serveur smbd_audit:
> DOMAIN\romain|10.10.20.209|journal|is_offline|fail (Opération non
> supportée)|2013-11-04/matin/test.doc
> Nov 5 15:44:46 serveur smbd_audit:
> DOMAIN\romain|10.10.20.209|journal|*stat|fail (Aucun fichier ou
> dossier de ce type)*|2013-11-04/desktop.ini
> Nov 5 15:44:46 serveur smbd_audit:
> DOMAIN\romain|10.10.20.209|journal|*get_real_filename|fail (Opération
> non supportée)*|2013-11-04/desktop.ini->(null)
> Nov 5 15:44:46 serveur smbd_audit:
> DOMAIN\romain|10.10.20.209|journal|opendir|ok|2013-11-04
> Nov 5 15:44:46 serveur smbd_audit:
> DOMAIN\romain|10.10.20.209|journal|*translate_name|fail (Opération non
> supportée)*|
I have googled and found this page (
http://www.samba.org/samba/docs/man/manpages-3/vfs_full_audit.8.html ).
I don't understand why all theses unwanted VFS operations are loggued.
There might be other solutions to proceed, I'm opened to any suggestion !
Thanks in advance for your time.
Nicolas
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
So I'd like to log the user's operations on some shares.
As I need to know who made what when.
I'd read a previous answer from Andrew about auditing, so I can see
loggued operations.
Modified smb.conf :
> [global]
> vfs objects = dfs_samba4, acl_xattr, full_audit
> full_audit:success =none
> full_audit:failure = none
share is :
> [journal]
> path = /media/data/journal
> read only = No
> full_audit:prefix = %u|%I|%S
> full_audit:success = mkdir rmdir write rename
> full_audit:failure = none
> full_audit:facility = local5
> full_audit:priority = NOTICE
But I still got things like this in syslog :
> Nov 5 15:40:55 serveur smbd_audit:
> DOMAIN\romain|10.10.20.209|journal|*pread|ok*|2013-11-04/matin/test.doc
> Nov 5 15:40:55 serveur smbd_audit:
> DOMAIN\romain|10.10.20.209|journal|*aio_force|fail
> (Succès)*|2013-11-04/matin/test.doc
> Nov 5 15:40:55 serveur smbd_audit:
> DOMAIN\romain|10.10.20.209|journal|*pread|ok*|2013-11-04/matin/test.doc
> Nov 5 15:40:55 serveur smbd_audit:
> DOMAIN\romain|10.10.20.209|journal|close|ok|2013-11-04/matin/test.doc
> Nov 5 15:40:55 serveur smbd_audit:
> DOMAIN\romain|10.10.20.209|journal|*is_offline|fail (Opération non
> supportée)*|2013-11-04/matin/test.doc
> Nov 5 15:40:55 serveur smbd_audit:
> DOMAIN\romain|10.10.20.209|journal|open|ok|w|2013-11-04/matin/test.doc
> Nov 5 15:40:55 serveur smbd_audit:
> DOMAIN\romain|10.10.20.209|journal|is_offline|fail (Opération non
> supportée)|2013-11-04/matin/test.doc
> Nov 5 15:44:46 serveur smbd_audit:
> DOMAIN\romain|10.10.20.209|journal|*stat|fail (Aucun fichier ou
> dossier de ce type)*|2013-11-04/desktop.ini
> Nov 5 15:44:46 serveur smbd_audit:
> DOMAIN\romain|10.10.20.209|journal|*get_real_filename|fail (Opération
> non supportée)*|2013-11-04/desktop.ini->(null)
> Nov 5 15:44:46 serveur smbd_audit:
> DOMAIN\romain|10.10.20.209|journal|opendir|ok|2013-11-04
> Nov 5 15:44:46 serveur smbd_audit:
> DOMAIN\romain|10.10.20.209|journal|*translate_name|fail (Opération non
> supportée)*|
I have googled and found this page (
http://www.samba.org/samba/docs/man/manpages-3/vfs_full_audit.8.html ).
I don't understand why all theses unwanted VFS operations are loggued.
There might be other solutions to proceed, I'm opened to any suggestion !
Thanks in advance for your time.
Nicolas
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
m...@electronico.nc
Nov 5, 2013, 2:40:02 AM11/5/13
to
take care of these modifications.
0 new messages