Zentyal Forum, Linux Small Business Server
Zentyal Server => Directory and Authentication => Topic started by: killmasta93 on December 28, 2019, 01:47:35 am
-
Hi,
I was wondering if someone else has accomplish to enable the samba audit to log on another file?
This is what i have so far first inside of rsyslog the 50.default.conf
added this at the end
if $programname == 'smbd_audit' then /var/log/audit.log
if $programname == 'smbd_audit' then ~
then on the shares.conf this is what i have
# Shares
[shares]
path = /disk2
browseable = yes
force create mode = 0660
force directory mode = 0660
valid users = @"Domain Users"
read list =
write list = @"Domain Users"
admin users =
vfs objects = acl_xattr full_audit recycle
full_audit:prefix = %S|%u|%I|%m
full_audit:success = chdir mkdir open opendir read rename rmdir write link unlink
full_audit:failure = none
full_audit:facility = local7
full_audit:priority = notice
recycle: inherit_nt_acl = Yes
recycle: directory_mode = 0700
recycle: repository = RecycleBin
recycle: keeptree = Yes
recycle: excludedir = /tmp|/var/tmp
recycle: versions = Yes
then restarted samba and rsyslog but not seeing the logs comming in
Thank you
-
local7.* /var/log/audit.log
& stop
-
thanks for the reply, forgot to postback
these are the steps
nano /etc/rsyslog.d/50-default.conf
# First some standard log files. Log by facility.
#
auth,authpriv.* /var/log/auth.log
*.*;local5;auth,authpriv.none -/var/log/syslog
local5.notice /var/log/audit.log
and in the shares.conf
full_audit:prefix = %u|%I|%S
full_audit:failure = connect
full_audit:success = mkdir rename unlink rmdir pwrite pread connect disconnect
full_audit:facility = local5
full_audit:priority = notice