Samba: audit files activity + log in separate file

in /etc/rsyslog.d/50-smbd_audit.conf tell rsyslogd to direct audit logs to a separate file:

if $programname == 'smbd_audit' then /var/log/samba/audit.log
if $programname == 'smbd_audit' then ~

in /etc/samba/smb.conf tell samba to audit file operations:

vfs object = full_audit
full_audit:prefix = %S|%u|%I|%m
full_audit:success = chdir mkdir open opendir read rename rmdir write link unlink
full_audit:failure = none
full_audit:facility = local7
full_audit:priority = notice

and finally tell logrotate to archive the files daily – /etc/logrotate.d/smbd_audit

rotate 7
invoke-rc.d rsyslog rotate > /dev/null

then just restart both samba and rsyslog and enjoy the logs:

#> service smbd restart
#> service rsyslogd restart
#> tail -f /var/log/samba/audit.log


Trackback specific URI for this entry

This link is not meant to be clicked. It contains the trackback URI for this entry. You can use this URI to send ping- & trackbacks from your own blog to this entry. To copy the link, right click and select "Copy Shortcut" in Internet Explorer or "Copy Link Location" in Mozilla.

No Trackbacks


Display comments as Linear | Threaded

No comments

Add Comment

You can use [geshi lang=lang_name [,ln={y|n}]][/geshi] tags to embed source code snippets.
Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.
To leave a comment you must approve it via e-mail, which will be sent to your address after submission.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.