How to Log Windows User Activity on a Samba Share Using VFS
- Last updated: Jul 27, 2025
Intro
Tracking Windows user activity in a Samba server share can be very useful for auditing and troubleshooting purposes. In this guide, we’ll show how to log important details such as the username, IP address, hostname, file name, and operation type by using the VFS audit module.
Configuration
- OS: Debian GNU/Linux 12 (Bookworm)
- Samba version: 4.17
Editing /etc/samba/smb.conf to Enable User Activity Logging
- Add the following configuration lines:
prefix
: defines the log formatsuccess
: specifies which operations to logfacility
: sets the syslog facility used byrsyslog
[global]
workgroup = WORKGROUP
server string = serv
bind interfaces only = yes
vfs objects = full_audit
full_audit:prefix = %u|%I|%m|%S
#full_audit:success = mkdir rename unlink rmdir pwrite #For samba version < 4.17
full_audit:success = mkdirat renameat unlinkat pwrite #For samba version < 4.17
full_audit:failure = none
full_audit:facility = local7
full_audit:priority = NOTICE
Check Configuration and Reload Samba
Run the following commands to validate your smb.conf
syntax and reload the Samba configuration without restarting the service:
root@host:~# testparm
root@host:~# smbcontrol all reload-config
Configure rsyslog to Handle Samba Logs
Make sure the rsyslog
package is installed. On Debian 12, you can install it with:
root@host:~# apt update && apt install rsyslog
- Edit the
/etc/rsyslog.conf
file to define a rule for thelocal7
facility.
###############
#### RULES ####
###############
#
# First some standard log files. Log by facility.
#
auth,authpriv.* /var/log/auth.log
#*.*;auth,authpriv.none -/var/log/syslog
# local7.none prevent to have local7 facility log inside syslog file
*.*;auth,authpriv.none;local7.none -/var/log/syslog
#cron.* /var/log/cron.log
daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
lpr.* -/var/log/lpr.log
mail.* -/var/log/mail.log
user.* -/var/log/user.log
#samba log will be sent to /var/log/samba_vfs.log file
local7.* /var/log/samba_vfs.log
[…]
#we disable local7 logs to /var/log/messages
*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail.none;local7.none -/var/log/messages
After modifying the rsyslog
configuration, restart the service to apply the changes:
root@host:~# systemctl restart rsyslog
- Check that Samba logs are being written:
root@host:~# tail -f /var/log/samba_vfs.log
Log File Management
The full audit mode is very verbose, which means the log file can quickly grow in size. To manage this, I developed a script that automatically archives the logs.
⚠️This solution works only on ext4
file systems.
- Script path:
/usr/local/sbin/log_samba.sh
#! /bin/bash
SDE=$(/bin/date --date='2 days ago' +%s) #two days epoch
INO=$(stat -c %i /var/log/samba_vfs.log) #get inode number of /var/log/samba_vfs.log file
DEV=/dev/sda1 #device where /var has been mounted
CRE=$(/bin/date --date="$(/sbin/debugfs -R 'stat <"'"$INO"'">' $DEV 2>/dev/null | grep 'crtime:' | sed 's/.*-- //')" +%s) #get epoch time of last /var/log/samba_vfs.log modification
A=6
B=7
if [ "$SDE" -gt "$CRE" ]; then
while [ "$A" -ge 1 ]; do
mv /var/log/samba_vfs."$A".gz /var/log/samba_vfs."$B".gz
((A-=1)) #ou A=$((A-1))
((B-=1))
done
gzip -c /var/log/samba_vfs.log > /var/log/samba_vfs.1.gz
rm /var/log/samba_vfs.log
systemctl restart rsyslog
fi
Set Up a Cron Job
Create the following file to schedule automatic log rotation every night at 3:00 AM:
/etc/cron.d/samba_logs
0 3 * * * root /usr/local/sbin/log_samba.sh
References
- Special thanks to moiristo: https://moiristo.wordpress.com/