Syslog: Sending samba/ssh/web gui logins?

[outofspace]

Truenas 12.0-U7

I may be missing something here, but after configuring syslog on Truenas to send logs remotely, I don't get any useful information from it even when its set to Info. I would like to get web interface logins, ssh logins, and samba authentications but so far all it outputs is random garbage about the smb daemon. I've tried turning the log level up on the SMB service itself, and still nothing about user authentications.

For some reason I can't find anything online about this.

Is there a setting I'm missing? I'm getting logs in my graylog server, but nothing remotely useful.

 

[x2desmit]

I've had similar problems with looking for useful data in all of this noise. Most of the logs I've seen with SMB have nothing to do with a real user, just that a read was performed.

And it is a LOT of data.

 

[x2desmit]

In fact, I've had 814,000 events in the last 12 hours because of setting SMB logging to Full. I just switched it back to Normal.

If I find anything of use, such as User ID, I'll post the regex for parsing and maybe you can use it.