Samba: Logging User Activity
Ever wondered why Samba seems to log so many things, except what you’re interested in? So did I, and it took me a while to find out that 1) there actually is a solution and 2) how to configure this. Here’s how.
The solution to logging what a user is actually doing can be achieved with Stackable VFS Modules, which is available since Samba 3. Unfortunately, the link there does not describe the full_audit module, which I highly recommend using instead of audit or extd_audit. The reason for this is that I couldn’t get those modules to log simple things like a file upload by a user, unless I chose VFS log level 10.
Using the Full_audit VFS Module
If you’re running Debian unstable like I do, then full_audit is included when installed from the APT. To find out which modules you have, take a look in /usr/lib/samba/vfs. When you’re sure you have the module, configure it as follows in smb.conf:
vfs objects = full_audit
full_audit:prefix = %u|%I|%m|%S
full_audit:success = mkdir rename unlink rmdir pwrite
full_audit:failure = none
full_audit:facility = LOCAL7
full_audit:priority = NOTICE
Let’s go through it one line at a time.
vfs objects: we’d like to use the full_audit module.full_audit:prefix: Every line that full_audit outputs will be prefixed by this line, in which you can use Samba variables. This line will prefix the username, IP, machine name and share name, separated by pipes.full_audit:success: This specifies which actions will actually be logged when it has successfully been completed.unlinkis in this case a delete action andpwriteis an upload action.full_audit:failure: Specifies which actions should be logged, but which have resulted in a failure. Since a failure will often mean that nothing has been changed, I found that it is not interesting to log any of these actions.full_audit:facility: By default, full_audit will only write to the system syslog, but you can specify a different ‘syslog facility’ to write all output to a different log file. Custom syslog facilities should be namedlocal[number], wherenumberis a number between 0 and 7 (don’t ask me why syslogd doesn’t support any name). I’ll get back on this later.full_audit:priority: This line sets the severity of the log messages that are generated, like ‘notice’, ‘info’, ‘warning’, ‘debug’, ‘alert’. There are probably more, but these are the most well-known ones.
Creating a Syslogd Facility
To specify a custom log file to which full_audit should write, you should create a new syslogd facility. A facility can be described in syslog.conf. Since I had chosen the facility local7, I can add that facility to the configuration like this:
local7.* /var/log/samba/log.audit
This line means that all log messages of facility local7 will be written to /var/log/samba/log.audit. The star is needed to say that I’d like to log messages of any severity to the same log file. Finally, restart the syslogd daemon: /etc/init.d/sysklogd restart
Final Words
- When things don’t seem to be working, ensure you have restarted/reloaded syslogd and samba.
- If there is anything bad you could say about full_audit, then it would be that it can’t output log messages to the log file specified in smb.conf. I always found it very useful that Samba could log by machine name by specifying
log file = /var/log/samba/log.%m, but full_audit cannot use this. If you find a way though, please let me know! - Other references: A blog in a language I can’t read where I took the configuration part from: Monitoring Aktivitas Samba
Output Example
Here is an example of what the configuration just explained generates:
Aug 10 11:52:52 rhino smbd_audit: moiristo|123.45.67.89|moiristo|moiristo|unlink|ok|public/Upload/hypnotoad.gif Aug 10 11:52:59 rhino smbd_audit: moiristo|123.45.67.89|moiristo|moiristo|pwrite|ok|public/Upload/hypnotoad.gif Aug 10 11:53:41 rhino smbd_audit: moiristo|123.45.67.89|moiristo|moiristo|rename|ok|public/Upload/hypnotoad.gif|public/Upload/hypnotoads.gif Aug 10 11:53:51 rhino smbd_audit: moiristo|123.45.67.89|moiristo|moiristo|rename|ok|public/Upload/hypnotoads.gif|public/Upload/hypnotoad.gif

great article!
it is that I find.
thank you!
Oleg Burcă said this on December 24, 2009 at 3:09 pm
Thanks! I needed exactly this information.
Alan said this on January 22, 2010 at 6:04 pm
Thatk you man, that’s a very gooood info:)
I have one question… if i have multiple shared folders, how can i view in what folder did the changes happens? how can i make full_audit to log the workig directory too?
Thanks.
bogdan said this on April 17, 2010 at 7:05 pm
nevermind… my fault:)
bogdan said this on April 17, 2010 at 7:10 pm
The samba variables in full_audit:prefix are the key.. use %m or %S or so. i guess you figured this out already
moiristo said this on April 18, 2010 at 9:10 am
Thanks for the post! This is just what I’ve been looking for… for ages!
Dave said this on November 10, 2010 at 7:47 am
Thanks, you saved my day
pawwa said this on November 16, 2010 at 3:18 pm
[...] Samba: Logging User Activity « Moiristo’s Weblog [...]
SNS activities for March 7th through March 16th « Andromeda Rabbit said this on April 9, 2011 at 12:39 pm
Tnx
Sasa said this on May 19, 2011 at 12:19 pm
Great article. Thank you very much. I was looking for such a neat solution for so long I can’t remember.
DS said this on May 24, 2011 at 10:10 pm
hello
thank you for the great articel. i search a long time….
but how many perf. ( cpu, ram,.. ) use the full_audit.
have you information about this…
thanks
Sandra said this on August 16, 2011 at 7:09 am
I don’t know actually.. I didn’t see a significant increase of cpu/ram usage of the smbd process. I must note however that this server was not excessively used, so it might be different in your case.
moiristo said this on August 16, 2011 at 8:10 am
Just perfect. Cant thank you enough.
marcelo said this on September 27, 2011 at 3:50 am
Thanks, precisely what I needed
Carsten Jensen said this on October 31, 2011 at 3:54 pm
Thank you so much! I can’t wait till my users start using our new samba file server!!
~One toke? You poor fool! Wait till you see those goddamn bats.~
Dan said this on January 13, 2012 at 12:15 am