Samba: Logging User Activity

Ever wondered why Samba seems to log so many things, except what you’re interested in? So did I, and it took me a while to find out that 1) there actually is a solution and 2) how to configure this. Here’s how.

The solution to logging what a user is actually doing can be achieved with Stackable VFS Modules, which is available since Samba 3. Unfortunately, the link there does not describe the full_audit module, which I highly recommend using instead of audit or extd_audit. The reason for this is that I couldn’t get those modules to log simple things like a file upload by a user, unless I chose VFS log level 10.

Using the Full_audit VFS Module

If you’re running Debian unstable like I do, then full_audit is included when installed from the APT. To find out which modules you have, take a look in /usr/lib/samba/vfs. When you’re sure you have the module, configure it as follows in smb.conf:

    vfs objects = full_audit

    full_audit:prefix = %u|%I|%m|%S
    full_audit:success = mkdir rename unlink rmdir pwrite
    full_audit:failure = none
    full_audit:facility = local7
    full_audit:priority = NOTICE

Let’s go through it one line at a time.

  • vfs objects: we’d like to use the full_audit module.
  • full_audit:prefix: Every line that full_audit outputs will be prefixed by this line, in which you can use Samba variables. This line will prefix the username, IP, machine name and share name, separated by pipes.
  • full_audit:success: This specifies which actions will actually be logged when it has successfully been completed. unlink is in this case a delete action and pwrite is an upload action.
  • full_audit:failure: Specifies which actions should be logged, but which have resulted in a failure. Since a failure will often mean that nothing has been changed, I found that it is not interesting to log any of these actions.
  • full_audit:facility: By default, full_audit will only write to the system syslog, but you can specify a different ‘syslog facility’ to write all output to a different log file. Custom syslog facilities should be named local[number], where number is a number between 0 and 7 (don’t ask me why syslogd doesn’t support any name). I’ll get back on this later.
  • full_audit:priority: This line sets the severity of the log messages that are generated, like ‘notice’, ‘info’, ‘warning’, ‘debug’, ‘alert’. There are probably more, but these are the most well-known ones.

Creating a Syslogd Facility

To specify a custom log file to which full_audit should write, you should create a new syslogd facility. A facility can be described in syslog.conf. Since I had chosen the facility local7, I can add that facility to the configuration like this:

local7.*                        /var/log/samba/log.audit

This line means that all log messages of facility local7 will be written to /var/log/samba/log.audit. The star is needed to say that I’d like to log messages of any severity to the same log file. Finally, restart the syslogd daemon: /etc/init.d/sysklogd restart

Final Words

  • When things don’t seem to be working, ensure you have restarted/reloaded syslogd and samba.
  • If there is anything bad you could say about full_audit, then it would be that it can’t output log messages to the log file specified in smb.conf. I always found it very useful that Samba could log by machine name by specifying log file = /var/log/samba/log.%m, but full_audit cannot use this. If you find a way though, please let me know!
  • Other references: A blog in a language I can’t read where I took the configuration part from: Monitoring Aktivitas Samba

Output Example

Here is an example of what the configuration just explained generates:

Aug 10 11:52:52 rhino smbd_audit: moiristo|123.45.67.89|moiristo|moiristo|unlink|ok|public/Upload/hypnotoad.gif
Aug 10 11:52:59 rhino smbd_audit: moiristo|123.45.67.89|moiristo|moiristo|pwrite|ok|public/Upload/hypnotoad.gif
Aug 10 11:53:41 rhino smbd_audit: moiristo|123.45.67.89|moiristo|moiristo|rename|ok|public/Upload/hypnotoad.gif|public/Upload/hypnotoads.gif
Aug 10 11:53:51 rhino smbd_audit: moiristo|123.45.67.89|moiristo|moiristo|rename|ok|public/Upload/hypnotoads.gif|public/Upload/hypnotoad.gif

~ by moiristo on August 10, 2009.

Posted in samba
Tags: , , ,

39 Responses to “Samba: Logging User Activity”

  1. great article!
    it is that I find.

    thank you!

    Oleg Burcă said this on December 24, 2009 at 3:09 pm

  2. Thanks! I needed exactly this information.

    Alan said this on January 22, 2010 at 6:04 pm

  3. Thatk you man, that’s a very gooood info:)

    I have one question… if i have multiple shared folders, how can i view in what folder did the changes happens? how can i make full_audit to log the workig directory too?

    Thanks.

    bogdan said this on April 17, 2010 at 7:05 pm

  4. nevermind… my fault:)

    bogdan said this on April 17, 2010 at 7:10 pm

  5. The samba variables in full_audit:prefix are the key.. use %m or %S or so. i guess you figured this out already 🙂

    moiristo said this on April 18, 2010 at 9:10 am

  6. Thanks for the post! This is just what I’ve been looking for… for ages!

    Dave said this on November 10, 2010 at 7:47 am

  7. Thanks, you saved my day 😉

    pawwa said this on November 16, 2010 at 3:18 pm

  8. […] Samba: Logging User Activity « Moiristo’s Weblog […]

    SNS activities for March 7th through March 16th « Andromeda Rabbit said this on April 9, 2011 at 12:39 pm

  9. Tnx 🙂

    Sasa said this on May 19, 2011 at 12:19 pm

  10. Great article. Thank you very much. I was looking for such a neat solution for so long I can’t remember.

    DS said this on May 24, 2011 at 10:10 pm

  11. hello

    thank you for the great articel. i search a long time….
    but how many perf. ( cpu, ram,.. ) use the full_audit.
    have you information about this…

    thanks

    Sandra said this on August 16, 2011 at 7:09 am

  12. I don’t know actually.. I didn’t see a significant increase of cpu/ram usage of the smbd process. I must note however that this server was not excessively used, so it might be different in your case.

    moiristo said this on August 16, 2011 at 8:10 am

  13. Just perfect. Cant thank you enough.

    marcelo said this on September 27, 2011 at 3:50 am

  14. Thanks, precisely what I needed

    Carsten Jensen said this on October 31, 2011 at 3:54 pm

  15. Thank you so much! I can’t wait till my users start using our new samba file server!!

    ~One toke? You poor fool! Wait till you see those goddamn bats.~

    Dan said this on January 13, 2012 at 12:15 am

  16. […] and the full_audit:facility/priority options added to his example). Check this or tweaking details: https://moiristo.wordpress.com/2009/0…user-activity/ To generate emails when files are opened, you could create a script to run as a daemon, monitoring […]

    how to check who's accessing samba shared folder from windows - Page 2 said this on April 30, 2012 at 4:19 pm

  17. Extremely useful and straightforward article ! Thanks !

    Pagaille said this on May 9, 2012 at 3:51 pm

  18. I’ve noticed that when attempting to utilize these directions.. It makes my file shares unable to be accessed from the workstation.. Force user is the problem?

    Here is my SMB.CONF

    [global]
    workgroup = SOMETHING
    netbios name = SAMPLE
    security = share

    [data]
    comment = Data
    path = /vol1/export1
    read only = No
    force user = jv
    guest ok = yes
    group = users

    Maybe you can help?

    Herb Berkley said this on June 18, 2012 at 3:29 pm

  19. No clue actually, never heard of that problem before. I did find that there are more people having some trouble with the force user option, but I don’t know if it relates to the full_audit module. See http://ubuntuforums.org/showthread.php?t=893027

    moiristo said this on June 18, 2012 at 3:56 pm

  20. https://bugzilla.samba.org/show_bug.cgi?id=8882

    Herb Berkley said this on June 18, 2012 at 6:00 pm

  21. Thanks for the info!

    moiristo said this on June 18, 2012 at 6:11 pm

  22. I had a bit of trouble getting this to go. It seems with newer versions, either Samba or rsyslog is case sensitive when it comes to facility name. These instructions have all upper case for the full_audit:facility parameter, and all lower in the syslog config. rsyslogd failed to create a log file until the name was corrected in smb.conf. Hope this helps!

    spec said this on September 14, 2012 at 2:41 am

  23. Hey there just wanted to give you a quick heads up.
    The words in your content seem to be running off the screen in
    Safari. I’m not sure if this is a formatting issue or something to do with internet browser compatibility but I thought I’d post
    to let you know. The design look great though!
    Hope you get the problem fixed soon. Kudos

    Dylan said this on January 20, 2013 at 3:02 pm

  24. @spec: Thanks for the info, I adapted the post.

    @Dylan: Thanks for noticing.. I think you mean the code block right? The template is just a default template, so it’s strange it’s not working properly. I’ll look for another template 🙂

    moiristo said this on January 24, 2013 at 9:42 am

  25. What I should check if it does not work to me? Services restarted, no errors noticed… samba 3.4.7 on two different machines (on both doesn’t work – log.audit is empty).

    DR said this on July 15, 2013 at 10:03 am

  26. Thank you so much. It is really funny what samba is able to log, but how hard is to log just human readable and useful information.

    murphy said this on January 21, 2014 at 12:33 pm

  27. Excellent article. One question:
    I am getting logs only if someone connects to the samba share using the form \\server\share
    If they use the share via a mounted drive letter I get nothing.
    Any ideas?

    cala said this on August 14, 2014 at 3:29 pm

  28. Hi,

    your article is good but not providing the infomation that I needed. Actually I am getting the log of all the subdirectories, even If i do not open them.I just need the log of the directory which I open or modify, not all the directories which resides within samba share.

    Pawan said this on April 17, 2015 at 9:21 am

  29. Hi This is worked for me. But i need to compressed log files send to mail. how to configure the log rotation.

    Muthukumar said this on May 6, 2015 at 12:01 pm

  30. Hi,

    Thanks For support. also pls share parameter of mv (if file move from folder) full_audit:success =

    Prashant said this on May 29, 2015 at 3:14 pm

  31. You can add to your /etc/logrotate.d/samba :

    /var/log/samba/log.audit {
    weekly
    missingok
    rotate 7
    postrotate
    [ ! -f /var/run/samba/nmbd.pid ] || kill -HUP `cat /var/run/samba/nmbd.pid`
    endscript
    compress
    notifempty
    }

    For weekly rotation for log.audit

    Julio said this on June 10, 2015 at 4:32 pm

  32. Hello
    Is it possible to split log files based on username ?
    Thanks

    Nicolas said this on December 11, 2015 at 10:57 am

  33. Hi all,
    This blog post is very outdated, but I’m leaving it here as it seems that it’s still helping people. Unfortunately I don’t maintain a server anymore, so I can’t help you with your questions. Commenting will remain enabled however, so you might get a response from a follower of this post.

    moiristo said this on December 11, 2015 at 11:12 am

  34. Ok thanks for your reply anyway 😉

    Nicolas said this on December 11, 2015 at 11:23 am

  35. My up to date network outline:
    http://nadine.post1.telrock.org

    hollyjk1 said this on August 2, 2018 at 4:59 am

  36. […] Samba: Logging User Activity !!! можно настроить глобально или, на конкретном ресурсе !!! […]

    samba 4.10 freebsd — Электроник 2019, г.Санкт-Петербург said this on October 11, 2019 at 3:01 pm

  37. Thanks for sharing, very useful indeed 🙂

    Ibon said this on August 6, 2021 at 11:12 am

  38. […] Samba: Logging User Activity […]

    How to find out who is deleting files on a Linux server? said this on April 7, 2022 at 11:50 pm

  39. […] on instructions found here I think you should get it to work like this, Add the following to smb.conf and restart […]

    How to log if a user removes a file from samba share said this on August 13, 2022 at 10:43 am

Leave a comment