Zentyal Forum, Linux Small Business Server

Zentyal Server => Directory and Authentication => Topic started by: killmasta93 on December 28, 2019, 01:47:35 am

Title: samba audit?
Post by: killmasta93 on December 28, 2019, 01:47:35 am
Hi,
I was wondering if someone else has accomplish to enable the samba audit to log on another file?
This is what i have so far  first inside of rsyslog the 50.default.conf
added this at the end
Code: [Select]
if $programname == 'smbd_audit' then /var/log/audit.log
if $programname == 'smbd_audit' then ~

then on the shares.conf this is what i have
Code: [Select]
# Shares

[shares]
    path = /disk2
    browseable = yes
    force create mode = 0660
    force directory mode = 0660
    valid users = @"Domain Users"
    read list =
    write list = @"Domain Users"
    admin users =
    vfs objects = acl_xattr full_audit recycle
full_audit:prefix = %S|%u|%I|%m
full_audit:success = chdir mkdir open opendir read rename rmdir write link unlink
full_audit:failure = none
full_audit:facility = local7
full_audit:priority = notice

    recycle: inherit_nt_acl = Yes
    recycle: directory_mode = 0700
    recycle: repository = RecycleBin
    recycle: keeptree = Yes
    recycle: excludedir = /tmp|/var/tmp
    recycle: versions = Yes

then restarted samba and rsyslog but not seeing the logs comming in

Thank you




Title: Re: samba audit?
Post by: peptoniET on April 28, 2020, 08:44:12 am
local7.*    /var/log/audit.log
& stop
Title: Re: samba audit?
Post by: killmasta93 on April 30, 2020, 07:24:40 pm
thanks for the reply, forgot to postback
these are the steps
Code: [Select]
nano /etc/rsyslog.d/50-default.conf
Code: [Select]
# First some standard log files.  Log by facility.
#
auth,authpriv.*                 /var/log/auth.log
*.*;local5;auth,authpriv.none           -/var/log/syslog

local5.notice /var/log/audit.log

and in the shares.conf
Code: [Select]
full_audit:prefix = %u|%I|%S
full_audit:failure = connect
full_audit:success = mkdir rename unlink rmdir pwrite pread connect disconnect
full_audit:facility = local5
full_audit:priority = notice