Log full path with samba vfs full_audit

nekopep

Dabbler
Joined
Oct 18, 2017
Messages
10
Hello,
I've activated samba vfs full_audit on a share and added these options to the samba (via gui):
full_audit: prefix = %u|%I|%m|%S
full_audit: priority = notice
full_audit: failure = connect
full_audit: success = open mkdir unlink rmdir rename

So far, it logs everything to /var/log/messages, but ONLY the filename:
Apr 22 11:57:07 freenas smbd_audit: username|192.168.xxx.xxx||data|open|ok|r|image.png

Is there a way to get full path for accessed/modified file, because it is quite unusefull as is if i've got several files with same name :( ?
 

sretalla

Powered by Neutrality
Moderator
Joined
Jan 1, 2016
Messages
9,702
You are specifying in the prefix option to use:

%u = username
%I = client IP address
%m = Client netbios name
%S = File Name (actually it's the "current service name")


Have you tried asking for

%P = "The root directory of the current service if any." (I would presume this would refer to the file and it's root directory) . Not tested by me to see if this works, but it seems to make some sense.

Reference: https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html
 

nekopep

Dabbler
Joined
Oct 18, 2017
Messages
10
Yes, in fact I've tried almost all options.
My root share is /mnt/pool0/data.
%S -> data
%P -> /mnt/pool0/data

With "%u|%I|%m|%S|%P" I got this kind of message:
May 6 15:28:15 freenas-xxxx smbd_audit: USERNAME|192.168.XX.XX|192.168.XX.XX|data|/mnt/pool0/data|open|ok|r|myimage.png

But /mnt/pool0/data if my base path of the share. I'm missing the important part that is path to the file. (ex: /mnt/pool0/images_repos/140506/)

It looks like for me that the last part |open|ok|r|myimage.png is generated by samba server (no acces trhought %option)
And so far, I've tried almost all options without success.

I must miss something because as is the full audit logging is quite unusefull :/

Perhaps the server need a specirfic patch to be able to display full path... ?

I haven't tried:
%N
%p
But seems related to NIS.map (not sure it is related to my issue)
 
Top