rss logo

How to Log Windows User Activity on a Samba Share Using VFS

samba linux logo

Intro

Tracking Windows user activity in a Samba server share can be very useful for auditing and troubleshooting purposes. In this guide, we’ll show how to log important details such as the username, IP address, hostname, file name, and operation type by using the VFS audit module.

Configuration

  • OS: Debian GNU/Linux 12 (Bookworm)
  • Samba version: 4.17

Editing /etc/samba/smb.conf to Enable User Activity Logging

  • Add the following configuration lines:
    • prefix: defines the log format
    • success: specifies which operations to log
    • facility: sets the syslog facility used by rsyslog
[global]
   workgroup = WORKGROUP
   server string = serv
   bind interfaces only = yes
   vfs objects = full_audit
   full_audit:prefix = %u|%I|%m|%S
   #full_audit:success = mkdir rename unlink rmdir pwrite #For samba version < 4.17
   full_audit:success = mkdirat renameat unlinkat pwrite #For samba version < 4.17
   full_audit:failure = none
   full_audit:facility = local7
   full_audit:priority = NOTICE

Check Configuration and Reload Samba

Run the following commands to validate your smb.conf syntax and reload the Samba configuration without restarting the service:

root@host:~# testparm
root@host:~# smbcontrol all reload-config

Configure rsyslog to Handle Samba Logs

Make sure the rsyslog package is installed. On Debian 12, you can install it with:

root@host:~# apt update && apt install rsyslog
  • Edit the /etc/rsyslog.conf file to define a rule for the local7 facility.
###############
#### RULES ####
###############

#
# First some standard log files.  Log by facility.
#
auth,authpriv.*                 /var/log/auth.log
#*.*;auth,authpriv.none          -/var/log/syslog
# local7.none prevent to have local7 facility log inside syslog file
*.*;auth,authpriv.none;local7.none -/var/log/syslog 
#cron.*                         /var/log/cron.log
daemon.*                        -/var/log/daemon.log
kern.*                          -/var/log/kern.log
lpr.*                           -/var/log/lpr.log
mail.*                          -/var/log/mail.log
user.*                          -/var/log/user.log
#samba log will be sent to /var/log/samba_vfs.log file
local7.*                        /var/log/samba_vfs.log

[…]

#we disable local7 logs to /var/log/messages
*.=info;*.=notice;*.=warn;\
        auth,authpriv.none;\
        cron,daemon.none;\
        mail.none;local7.none               -/var/log/messages

After modifying the rsyslog configuration, restart the service to apply the changes:

root@host:~# systemctl restart rsyslog
  • Check that Samba logs are being written:
root@host:~# tail -f /var/log/samba_vfs.log

Log File Management

The full audit mode is very verbose, which means the log file can quickly grow in size. To manage this, I developed a script that automatically archives the logs.

⚠️This solution works only on ext4 file systems.

  • Script path: /usr/local/sbin/log_samba.sh
#! /bin/bash
SDE=$(/bin/date --date='2 days ago' +%s) #two days epoch
INO=$(stat -c %i /var/log/samba_vfs.log) #get inode number of /var/log/samba_vfs.log file
DEV=/dev/sda1 #device where /var has been mounted
CRE=$(/bin/date --date="$(/sbin/debugfs -R 'stat <"'"$INO"'">' $DEV 2>/dev/null | grep 'crtime:' | sed 's/.*-- //')" +%s) #get epoch time of last /var/log/samba_vfs.log modification

A=6
B=7

if [ "$SDE" -gt "$CRE" ]; then
        while [ "$A" -ge 1 ]; do
                mv /var/log/samba_vfs."$A".gz /var/log/samba_vfs."$B".gz
                ((A-=1)) #ou A=$((A-1))
                ((B-=1))
        done

        gzip -c /var/log/samba_vfs.log > /var/log/samba_vfs.1.gz
        rm /var/log/samba_vfs.log
	systemctl restart rsyslog
fi

Set Up a Cron Job

Create the following file to schedule automatic log rotation every night at 3:00 AM:

  • /etc/cron.d/samba_logs
0 3 * * * root /usr/local/sbin/log_samba.sh

References