Help With Samba Audit Logging

[reysolowalker]

Hi,

I have been struggling to get Samba auditing to work correctly for a while now and I have a few strange issues that I haven't found elsewhere on the forums.

Firstly, here are some of the changes I've made:

Services → SMB → Auxiliary Parameters:
full_audit:prefix = %u | %I | %m | %S
full_audit:failure = connect
full_audit:success = connect mkdirat renameat unlinkat linkat open
full_audit:facility = LOCAL5
full_audit:priority = NOTICE

Sharing → Windows Shares (SMB) → [Share Name] → Advanced Options → Auxiliary Parameters):
vfs objects=full_audit

Updated “/conf/base/etc/local/syslog-ng.conf.freenas” to try to store logs at “/var/log/samba4/activity.log”:
destination m_samba_audit { file("/var/log/samba4/activity.log"); };
log { source(src); filter(f_local5);destination(m_samba_audit); flags(final); };

Changes Made to “/etc/syslog.conf“ and “/conf/base/etc/syslog.conf“ (not sure which one works, if any):
*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err;local5.none /var/log/messages


And now for the issues I'm having:

1. Logging DOES go to "/var/log/samba4/activity.log" but it also logs to "/var/log/messages". Is there any way to get this to ONLY go to activity.log? I thought editing syslog.conf would help with this but so far I haven't had any luck.
2. For some reason nginx is spamming "/var/log/samba4/activity.log" with: Feb 21 15:07:45 truenas nginx: 192.168.1.121 - - [21/Feb/2023:15:07:45 -0700] "GET /websocket HTTP/1.1" 101 387 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36"
   1. Note that nginx is NOT spamming "/var/log/messages" with this
   2. Any idea what this is and why the heck it's showing up in my samba activity.log?

Would appreciate any insight on this as I am quite lost at the moment. Thanks!

 

[reysolowalker]

Bump

 

[reysolowalker]

Bump

 

[sretalla]

Updated “/conf/base/etc/local/syslog-ng.conf.freenas” to try to store logs at “/var/log/samba4/activity.log”:
destination m_samba_audit { file("/var/log/samba4/activity.log"); };
log { source(src); filter(f_local5);destination(m_samba_audit); flags(final); };

Changes Made to “/etc/syslog.conf“ and “/conf/base/etc/syslog.conf“ (not sure which one works, if any):
*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err;local5.none /var/log/messages

Why would you do that... those files aren't for user editing and likely to be overwritten on reboot or upgrade.

Generally speaking, you're using an appliance here and the logging location isn't for you to choose.

If you want to have logging going elsewhere, use the System | Advanced page, Syslog section to send it to something like graylog or whatever product you prefer to use to digest and sort the logs.

 

[reysolowalker]

Why would you do that... those files aren't for user editing and likely to be overwritten on reboot or upgrade.

Generally speaking, you're using an appliance here and the logging location isn't for you to choose.

If you want to have logging going elsewhere, use the System | Advanced page, Syslog section to send it to something like graylog or whatever product you prefer to use to digest and sort the logs.

I was just following the various guides on audit logging found in these forums (all pretty out of date though), but maybe there just isn't a way to do what I want natively. Even if I have to re-modify those files after an upgrade (I know that syslog-ng.conf.freenas persists through reboots), it'd still be cool if there was a way to suppress samba auditing from writing to both messages and activity.log

I was hoping to avoid third party logging tools so as not to over-complicate things, but maybe I'll have to look into some if that's my best option.

Thanks for the advice!