Log Windows users activity on a Samba share with VFS module

Last updated: Sep 5, 2023

Intro

It could be useful to trace Windows users activity in a Samba server share environment. Let's see how to get username, ip address, hostname, file and operation type in our log file thanks to vfs module.

Configuration

OS : Debian GNU/Linux 12 (bookworm)
samba : 4.17

/etc/samba/smb.conf

Add this configuration lines :
- prefix : log format
- success : what we want to log
- facilty : useful for rsyslog configuration

[global]
   workgroup = WORKGROUP
   server string = serv
   bind interfaces only = yes
   vfs objects = full_audit
   full_audit:prefix = %u|%I|%m|%S
   #full_audit:success = mkdir rename unlink rmdir pwrite #For samba version < 4.17
   full_audit:success = mkdirat renameat unlinkat pwrite #For samba version < 4.17
   full_audit:failure = none
   full_audit:facility = local7
   full_audit:priority = NOTICE

Configuration check and Reload services

root@host:~# testparm root@host:~# smbcontrol all reload-config

Rsyslog

Edit /etc/rsyslog.conf file to set the facility7 rule

###############
#### RULES ####
###############

#
# First some standard log files.  Log by facility.
#
auth,authpriv.*                 /var/log/auth.log
#*.*;auth,authpriv.none          -/var/log/syslog
# local7.none prevent to have local7 facility log inside syslog file
*.*;auth,authpriv.none;local7.none -/var/log/syslog 
#cron.*                         /var/log/cron.log
daemon.*                        -/var/log/daemon.log
kern.*                          -/var/log/kern.log
lpr.*                           -/var/log/lpr.log
mail.*                          -/var/log/mail.log
user.*                          -/var/log/user.log
#samba log will be sent to /var/log/samba_vfs.log file
local7.*                        /var/log/samba_vfs.log

[…]

#we disable local7 logs to /var/log/messages
*.=info;*.=notice;*.=warn;\
        auth,authpriv.none;\
        cron,daemon.none;\
        mail.none;local7.none               -/var/log/messages

root@host:~# systemctl restart rsyslog

Check logs

root@host:~# tail -f /var/log/samba_vfs.log

Logs Treatment

Full audit mode is pretty verbose, so the file log is gonna be huge very quickly. So I developed a script to manage it.

⚠️Works for ext4 file system only.

/usr/local/sbin/log_samba.sh

#! /bin/bash
SDE=$(/bin/date --date='2 days ago' +%s) #two days epoch
INO=$(stat -c %i /var/log/samba_vfs.log) #get inode number of /var/log/samba_vfs.log file
DEV=/dev/sda1 #device where /var has been mounted
CRE=$(/bin/date --date="$(/sbin/debugfs -R 'stat <"'"$INO"'">' $DEV 2>/dev/null | grep 'crtime:' | sed 's/.*-- //')" +%s) #get epoch time of last /var/log/samba_vfs.log modification

A=6
B=7

if [ "$SDE" -gt "$CRE" ]; then
        while [ "$A" -ge 1 ]; do
                mv /var/log/samba_vfs."$A".gz /var/log/samba_vfs."$B".gz
                ((A-=1)) #ou A=$((A-1))
                ((B-=1))
        done

        gzip -c /var/log/samba_vfs.log > /var/log/samba_vfs.1.gz
        rm /var/log/samba_vfs.log
	systemctl restart rsyslog
fi

Add a cron task

/etc/cron.d/samba_logs

0 3 * * * root /usr/local/sbin/log_samba.sh

References

Many thanks to moiristo: https://moiristo.wordpress.com/

Computing

Music

Misc