It could be useful to trace Windows users activity in a Samba server share environment. Let's see how to get username, ip address, hostname, file and operation type in our log file thanks to vfs module.
[global]
workgroup = WORKGROUP
server string = serv
bind interfaces only = yes
vfs objects = full_audit
full_audit:prefix = %u|%I|%m|%S
full_audit:success = mkdir rename unkink rmdir pwrite
full_audit:failure = none
full_audit:facility = local7
full_audit:priority = NOTICE
root@host:~# testparm
root@host:~# smbcontrol all reload-config
############### #### RULES #### ############### # # First some standard log files. Log by facility. # auth,authpriv.* /var/log/auth.log #*.*;auth,authpriv.none -/var/log/syslog # local7.none prevent to have local7 facility log inside syslog file *.*;auth,authpriv.none;local7.none -/var/log/syslog #cron.* /var/log/cron.log daemon.* -/var/log/daemon.log kern.* -/var/log/kern.log lpr.* -/var/log/lpr.log mail.* -/var/log/mail.log user.* -/var/log/user.log #samba log will be sent to /var/log/samba_vfs.log file local7.* /var/log/samba_vfs.log […] #we disable local7 logs to /var/log/messages *.=info;*.=notice;*.=warn;\ auth,authpriv.none;\ cron,daemon.none;\ mail.none;local7.none -/var/log/messages
root@host:~# systemctl restart rsyslog
root@host:~# tail -f /var/log/samba_vfs.log
Full audit mode is pretty verbose, so the file log is gonna be huge very quickly. So I developed a script to manage it.
⚠️Works for ext4 file system only.
#! /bin/bash SDE=$(/bin/date --date='2 days ago' +%s) #two days epoch INO=$(stat -c %i /var/log/samba_vfs.log) #get inode number of /var/log/samba_vfs.log file DEV=/dev/sda1 #device where /var has been mounted CRE=$(/bin/date --date="$(/sbin/debugfs -R 'stat <"'"$INO"'">' $DEV 2>/dev/null | grep 'crtime:' | sed 's/.*-- //')" +%s) #get epoch time of last /var/log/samba_vfs.log modification A=6 B=7 if [ "$SDE" -gt "$CRE" ]; then while [ "$A" -ge 1 ]; do mv /var/log/samba_vfs."$A".gz /var/log/samba_vfs."$B".gz ((A-=1)) #ou A=$((A-1)) ((B-=1)) done gzip -c /var/log/samba_vfs.log > /var/log/samba_vfs.1.gz rm /var/log/samba_vfs.log systemctl restart rsyslog fi
0 3 * * * root /usr/local/sbin/log_samba.sh
Contact :