It could be useful to trace Windows users activity in a Samba server share environment. Let's see how to get username, ip address, hostname, file and operation type in our log file thanks to vfs module.
[global] workgroup = WORKGROUP server string = serv bind interfaces only = yes vfs objects = full_audit full_audit:prefix = %u|%I|%m|%S full_audit:success = mkdir rename unkink rmdir pwrite full_audit:failure = none full_audit:facility = local7 full_audit:priority = NOTICE
root@host:~# testparm
root@host:~# smbcontrol all reload-config
############### #### RULES #### ############### # # First some standard log files. Log by facility. # auth,authpriv.* /var/log/auth.log #*.*;auth,authpriv.none -/var/log/syslog # local7.none prevent to have local7 facility log inside syslog file *.*;auth,authpriv.none;local7.none -/var/log/syslog #cron.* /var/log/cron.log daemon.* -/var/log/daemon.log kern.* -/var/log/kern.log lpr.* -/var/log/lpr.log mail.* -/var/log/mail.log user.* -/var/log/user.log local7.* /var/log/samba_vfs.log
root@host:~# systemctl restart rsyslog
root@host:~# tail -f /var/log/samba_vfs.log
Full audit mode is pretty verbose, so the file log is gonna be huge very quickly. So I developed a script to manage it.
Works for ext4 file system only.
#! /bin/bash SDE=$(/bin/date --date='2 days ago' +%s) #two days epoch INO=$(stat -c %i /var/log/samba_vfs.log) #get inode number of /var/log/samba_vfs.log file DEV=/dev/sda1 #device where /var has been mounted CRE=$(/bin/date --date="$(/sbin/debugfs -R 'stat <"'"$INO"'">' $DEV 2>/dev/null | grep 'crtime:' | sed 's/.*-- //')" +%s) #get epoch time of last /var/log/samba_vfs.log modification A=6 B=7 if [ "$SDE" -gt "$CRE" ]; then while [ "$A" -ge 1 ]; do mv /var/log/samba_vfs."$A".gz /var/log/samba_vfs."$B".gz ((A-=1)) #ou A=$((A-1)) ((B-=1)) done gzip -c /var/log/samba_vfs.log > /var/log/samba_vfs.1.gz rm /var/log/samba_vfs.log systemctl restart rsyslog fi
0 3 * * * root /usr/local/sbin/log_samba.sh
Contact :