thanks for the reply, forgot to postback
these are the steps
nano /etc/rsyslog.d/50-default.conf
# First some standard log files. Log by facility.
#
auth,authpriv.* /var/log/auth.log
*.*;local5;auth,authpriv.none -/var/log/syslog
local5.notice /var/log/audit.log
and in the shares.conf
full_audit:prefix = %u|%I|%S
full_audit:failure = connect
full_audit:success = mkdir rename unlink rmdir pwrite pread connect disconnect
full_audit:facility = local5
full_audit:priority = notice