i’ve ‘convinced’ my samba running under debian wheezy/jessie to provide me access audit logs without being too verbose. here’s how.
in /etc/rsyslog.d/50-smbd_audit.conf i have to tell rsyslogd to direct audit logs to a separate file:
if $programname == 'smbd_audit' then /var/log/samba/audit.log if $programname == 'smbd_audit' then ~
in /etc/samba/smb.conf i tell samba to generate such information:
vfs object = full_audit full_audit:prefix = %S|%u|%I|%m full_audit:success = chdir mkdir open opendir read rename rmdir write link unlink full_audit:failure = none full_audit:facility = local7 full_audit:priority = notice
and finally tell logrotate to archive the files daily – /etc/logrotate.d/smbd_audit
/var/log/samba/audit.log
{
rotate 7
daily
missingok
notifempty
delaycompress
compress
postrotate
invoke-rc.d rsyslog rotate > /dev/null
endscript
}
finally restart both samba and rsyslog and enjoy the logs:
service smbd restart service rsyslogd restart tail -f /var/log/samba/audit.log