lorenzoASR
Dabbler
- Joined
- Nov 10, 2012
- Messages
- 39
Dear Forum, i want to share my experience about installing a nice Samba extension called full_audit.
Full_Audit permit to log ALL operation on a share, like create file, delete file, change path......
EDIT:
According to cyberjock, that method add lot of logs and will fill quickly your 10mb logspace. So you have to move to another location the logs:
Here's how to move logs from default location to a custom one:
1) mount with write persmission /
2) Edit /conf/base/etc/syslog.conf
You can edit as you prefer the new custom location, in my case is /mnt/storagesata1/....
You have to modify line 7 adding a # at the start and lines 8-11 inserting level rules
Full_Audit permit to log ALL operation on a share, like create file, delete file, change path......
1) Go to Services->CIFS (click)
2) Add those lines in "Auxiliary Parameters" (or something like that, i've in Italian):
full_audit:prefix = %u|%I|%m|%S
full_audit:failure = connect
full_audit:success = mkdir rename unlink rmdir pwrite
full_audit:facility = LOCAL5
full_audit:priority = NOTICE
You can edit those parameters like you prefer! (read http://www.samba.org/samba/docs/man/manpages/vfs_full_audit.8.html)
3) Now go to Sharing->CIFS->Add Shared Element, compile like you want, and click "Advanced Mode" (at the end of the tab), now you can add those lines to "Auxiliary Parameters":
vfs objects = recycle full_audit
END!
Now you will find in the logs of SAMBA all the operation mentioned in "full_audit:success" and "full_audit:failure"
Repeat the STEP3 for each Shared Path that you want to log !
Sorry for english, I hope this will help you !
2) Add those lines in "Auxiliary Parameters" (or something like that, i've in Italian):
full_audit:prefix = %u|%I|%m|%S
full_audit:failure = connect
full_audit:success = mkdir rename unlink rmdir pwrite
full_audit:facility = LOCAL5
full_audit:priority = NOTICE
You can edit those parameters like you prefer! (read http://www.samba.org/samba/docs/man/manpages/vfs_full_audit.8.html)
3) Now go to Sharing->CIFS->Add Shared Element, compile like you want, and click "Advanced Mode" (at the end of the tab), now you can add those lines to "Auxiliary Parameters":
vfs objects = recycle full_audit
END!
Now you will find in the logs of SAMBA all the operation mentioned in "full_audit:success" and "full_audit:failure"
Repeat the STEP3 for each Shared Path that you want to log !
Sorry for english, I hope this will help you !
EDIT:
According to cyberjock, that method add lot of logs and will fill quickly your 10mb logspace. So you have to move to another location the logs:
Here's how to move logs from default location to a custom one:
1) mount with write persmission /
Code:
mount -rw /
2) Edit /conf/base/etc/syslog.conf
You can edit as you prefer the new custom location, in my case is /mnt/storagesata1/....
Code:
# Spaces ARE valid field separators in this file. However, # other *nix-like systems still insist on using tabs as field # separators. If you are sharing this file between systems, you # may want to use only tabs as field separators here. # Consult the syslog.conf(5) manpage. *.err;kern.warning;auth.notice;mail.crit /dev/console #*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err /var/log/messages local5.=info /mnt/storagesata1/misc/logs/samba/docs.log local5.=notice /mnt/storagesata1/misc/logs/samba/activity.log local0.notice;local1.notice;local2.notice;local3.notice /var/log/messages local4.notice;local6.notice;local7.notice /var/log/messages security.* /var/log/security auth.info;authpriv.info /var/log/auth.log mail.info /var/log/maillog lpr.info /var/log/lpd-errs ftp.info /var/log/xferlog cron.* /var/log/cron # *.=debug /var/log/debug.log *.emerg * # uncomment this to log all writes to /dev/console to /var/log/console.log #console.info /var/log/console.log # uncomment this to enable logging of all log messages to /var/log/all.log # touch /var/log/all.log and chmod it to mode 600 before it will work #*.* /var/log/all.log # uncomment this to enable logging to a remote loghost named loghost #*.* @loghost # uncomment these if you're running inn # news.crit /var/log/news/news.crit # news.err /var/log/news/news.err # news.notice /var/log/news/news.notice !ppp *.* /var/log/ppp.log !*
You have to modify line 7 adding a # at the start and lines 8-11 inserting level rules
Last edited: