TrueNAS-12.0-U3.1 SMB full_audit

[Huseyin Yanardag]

Hello there,

I have migrated from FreeNAS 11.1-U7 to TrueNAS 12.0-U3.1 but smb full_auditing not working.

I have applied these settings;

1. Edit the file "/conf/base/etc/local/syslog-ng.conf.freenas" and add:
#
# samba activity logs
#
#
destination m_samba_audit { file("/var/log/samba4/activity.log"); };
log { source(src); filter(f_local5);destination(m_samba_audit); flags(final); };
2. Add the following lines in aux parameters in cifs service: (on web-gui , which share you want to audit)
full_audit:prefix = %u|%I|%m|%S
full_audit:failure = connect
full_audit:success = rename unlink link rmdir mkdir write pwrite
full_audit:facility = LOCAL5
full_audit:priority = NOTICE
3. Add in Samba sharing the "full_audit" in VFS Objects
4. For the logs rotation add in “/conf/base/etc/newsyslog.conf”(Example to keep logs for two years):

/var/log/samba4/activity.log 640 720 * @T00 JC

Now you can see the logs auditing in "/var/log/samba4/activity.log".


But i get an error like this;

[2021/06/01 14:08:44.160889, 0] ../../source3/modules/vfs_full_audit.c:774(smb_full_audit_connect)
smb_full_audit_connect: Invalid auditing configuration. Denying access to service [SHARES] at path [/mnt/volume1/shares]
[2021/06/01 14:08:44.160918, 1] ../../source3/smbd/service.c:682(make_connection_snum)
make_connection_snum: SMB_VFS_CONNECT for service 'SHARES' at '/mnt/volume1/shares' failed: Permission denied

 

[anodos]

full_audit:success = rename unlink link rmdir mkdir write pwrite Your audit parameters are invalid for this version of samba, hence:

smb_full_audit_connect: Invalid auditing configuration. Denying access to service [SHARES] at path [/mnt/volume1/shares].

The log entry prior to this should tell you which parameter is invalid, but IIRC all of these are invalid in Samba 4.12: "rename unlink link rmdir mkdir". man vfs_full_audit should give full details.

 

[Huseyin Yanardag]

Thank you for your reply. I have changed my parameters like this and problem solved:

full_audit:success = rename write pwrite unlinkat linkat mkdirat

 

[IBCMED]

Did not work. This file you reported "/var/log/samba4/activity.log", does it already exist or do you create it with this command? I didn't find the file and consequently I didn't see any audits.

 

[justsomeguy]

Did not work. This file you reported "/var/log/samba4/activity.log", does it already exist or do you create it with this command? I didn't find the file and consequently I didn't see any audits.

You've probably figured it out by now, but you probably need to reboot and it will start working. The file "/conf/base/etc/local/syslog-ng.conf.freenas" is used as the base for "/etc/local/syslog-ng.conf". If you were to edit "/etc/local/syslog-ng.conf" directly, your changes would be lost after a reboot. Not sure what the manual method is for regenerating the "/etc/local/syslog-ng.conf" like it does with a reboot.

We just got it working mostly the way we want on TrueNAS-12.0-U8.1 (Enterprise). Two nodes in HA, so we had to edit the syslog-ng.conf.freenas on both nodes.