audit/access logs in samba

i’ve ‘convinced’ my samba running under debian wheezy/jessie to provide me access audit logs without being too verbose. here’s how.

in /etc/rsyslog.d/50-smbd_audit.conf i have to tell rsyslogd to direct audit logs to a separate file:

if $programname == 'smbd_audit' then /var/log/samba/audit.log
if $programname == 'smbd_audit' then ~

in /etc/samba/smb.conf i tell samba to generate such information:

vfs object = full_audit
full_audit:prefix = %S|%u|%I|%m
full_audit:success = chdir mkdir open opendir read rename rmdir write link unlink
full_audit:failure = none
full_audit:facility = local7
full_audit:priority = notice

and finally tell logrotate to archive the files daily – /etc/logrotate.d/smbd_audit

/var/log/samba/audit.log
{
rotate 7
daily
missingok
notifempty
delaycompress
compress
postrotate
 invoke-rc.d rsyslog rotate > /dev/null
endscript
}

finally restart both samba and rsyslog and enjoy the logs:

service smbd restart
service rsyslogd restart
tail -f /var/log/samba/audit.log

Leave a Reply

Your email address will not be published. Required fields are marked *