Author Topic: samba audit?  (Read 2130 times)

killmasta93

  • Zen Monk
  • **
  • Posts: 95
  • Karma: +14/-0
    • View Profile
samba audit?
« on: December 28, 2019, 01:47:35 am »
Hi,
I was wondering if someone else has accomplish to enable the samba audit to log on another file?
This is what i have so far  first inside of rsyslog the 50.default.conf
added this at the end
Code: [Select]
if $programname == 'smbd_audit' then /var/log/audit.log
if $programname == 'smbd_audit' then ~

then on the shares.conf this is what i have
Code: [Select]
# Shares

[shares]
    path = /disk2
    browseable = yes
    force create mode = 0660
    force directory mode = 0660
    valid users = @"Domain Users"
    read list =
    write list = @"Domain Users"
    admin users =
    vfs objects = acl_xattr full_audit recycle
full_audit:prefix = %S|%u|%I|%m
full_audit:success = chdir mkdir open opendir read rename rmdir write link unlink
full_audit:failure = none
full_audit:facility = local7
full_audit:priority = notice

    recycle: inherit_nt_acl = Yes
    recycle: directory_mode = 0700
    recycle: repository = RecycleBin
    recycle: keeptree = Yes
    recycle: excludedir = /tmp|/var/tmp
    recycle: versions = Yes

then restarted samba and rsyslog but not seeing the logs comming in

Thank you





peptoniET

  • Zen Apprentice
  • *
  • Posts: 40
  • Karma: +4/-0
    • View Profile
Re: samba audit?
« Reply #1 on: April 28, 2020, 08:44:12 am »
local7.*    /var/log/audit.log
& stop

killmasta93

  • Zen Monk
  • **
  • Posts: 95
  • Karma: +14/-0
    • View Profile
Re: samba audit?
« Reply #2 on: April 30, 2020, 07:24:40 pm »
thanks for the reply, forgot to postback
these are the steps
Code: [Select]
nano /etc/rsyslog.d/50-default.conf
Code: [Select]
# First some standard log files.  Log by facility.
#
auth,authpriv.*                 /var/log/auth.log
*.*;local5;auth,authpriv.none           -/var/log/syslog

local5.notice /var/log/audit.log

and in the shares.conf
Code: [Select]
full_audit:prefix = %u|%I|%S
full_audit:failure = connect
full_audit:success = mkdir rename unlink rmdir pwrite pread connect disconnect
full_audit:facility = local5
full_audit:priority = notice