Log Windows users activity on Samba with VFS module

Intro

It could be interesting to trace what Windows users do on a Samba server share environment. Let's see how to get username, ip address, hostname, file and operation type in a log file with vfs module.

Configuration

/etc/samba/smb.conf

[global]
   workgroup = WORKGROUP
   server string = serv
   bind interfaces only = yes
   vfs objects = full_audit
   full_audit:prefix = %u|%I|%m|%S
   full_audit:success = mkdir rename unkink rmdir pwrite
   full_audit:failure = none
   full_audit:facility = local7
   full_audit:priority = NOTICE

Configuration check and Reload services

root@host:~# testparm
root@host:~# smbcontrol all reload-config

/etc/rsyslog.conf

###############
#### RULES ####
###############

#
# First some standard log files.  Log by facility.
#
auth,authpriv.*                 /var/log/auth.log
*.*;auth,authpriv.none          -/var/log/syslog
#cron.*                         /var/log/cron.log
daemon.*                        -/var/log/daemon.log
kern.*                          -/var/log/kern.log
lpr.*                           -/var/log/lpr.log
mail.*                          -/var/log/mail.log
user.*                          -/var/log/user.log
local7.*                        /var/log/samba_vfs.log
root@host:~# sudo systemctl restart rsyslog
root@host:~# tail -f /var/log/samba_vfs.log

Sources

Licence Creative Commons
This website http://shebangthedolphins.net is licensed to the public under a licence Creative Commons Attribution licence.
Contact :