Samba: Logging User Activity

Ever wondered why Samba seems to log so many things, except what you’re interested in? So did I, and it took me a while to find out that 1) there actually is a solution and 2) how to configure this. Here’s how.

The solution to logging what a user is actually doing can be achieved with Stackable VFS Modules, which is available since Samba 3. Unfortunately, the link there does not describe the full_audit module, which I highly recommend using instead of audit or extd_audit. The reason for this is that I couldn’t get those modules to log simple things like a file upload by a user, unless I chose VFS log level 10.

Using the Full_audit VFS Module

If you’re running Debian unstable like I do, then full_audit is included when installed from the APT. To find out which modules you have, take a look in /usr/lib/samba/vfs. When you’re sure you have the module, configure it as follows in smb.conf:

    vfs objects = full_audit

    full_audit:prefix = %u|%I|%m|%S
    full_audit:success = mkdir rename unlink rmdir pwrite
    full_audit:failure = none
    full_audit:facility = local7
    full_audit:priority = NOTICE

Let’s go through it one line at a time.

  • vfs objects: we’d like to use the full_audit module.
  • full_audit:prefix: Every line that full_audit outputs will be prefixed by this line, in which you can use Samba variables. This line will prefix the username, IP, machine name and share name, separated by pipes.
  • full_audit:success: This specifies which actions will actually be logged when it has successfully been completed. unlink is in this case a delete action and pwrite is an upload action.
  • full_audit:failure: Specifies which actions should be logged, but which have resulted in a failure. Since a failure will often mean that nothing has been changed, I found that it is not interesting to log any of these actions.
  • full_audit:facility: By default, full_audit will only write to the system syslog, but you can specify a different ‘syslog facility’ to write all output to a different log file. Custom syslog facilities should be named local[number], where number is a number between 0 and 7 (don’t ask me why syslogd doesn’t support any name). I’ll get back on this later.
  • full_audit:priority: This line sets the severity of the log messages that are generated, like ‘notice’, ‘info’, ‘warning’, ‘debug’, ‘alert’. There are probably more, but these are the most well-known ones.

Creating a Syslogd Facility

To specify a custom log file to which full_audit should write, you should create a new syslogd facility. A facility can be described in syslog.conf. Since I had chosen the facility local7, I can add that facility to the configuration like this:

local7.*                        /var/log/samba/log.audit

This line means that all log messages of facility local7 will be written to /var/log/samba/log.audit. The star is needed to say that I’d like to log messages of any severity to the same log file. Finally, restart the syslogd daemon: /etc/init.d/sysklogd restart

Final Words

  • When things don’t seem to be working, ensure you have restarted/reloaded syslogd and samba.
  • If there is anything bad you could say about full_audit, then it would be that it can’t output log messages to the log file specified in smb.conf. I always found it very useful that Samba could log by machine name by specifying log file = /var/log/samba/log.%m, but full_audit cannot use this. If you find a way though, please let me know!
  • Other references: A blog in a language I can’t read where I took the configuration part from: Monitoring Aktivitas Samba

Output Example

Here is an example of what the configuration just explained generates:

Aug 10 11:52:52 rhino smbd_audit: moiristo|123.45.67.89|moiristo|moiristo|unlink|ok|public/Upload/hypnotoad.gif
Aug 10 11:52:59 rhino smbd_audit: moiristo|123.45.67.89|moiristo|moiristo|pwrite|ok|public/Upload/hypnotoad.gif
Aug 10 11:53:41 rhino smbd_audit: moiristo|123.45.67.89|moiristo|moiristo|rename|ok|public/Upload/hypnotoad.gif|public/Upload/hypnotoads.gif
Aug 10 11:53:51 rhino smbd_audit: moiristo|123.45.67.89|moiristo|moiristo|rename|ok|public/Upload/hypnotoads.gif|public/Upload/hypnotoad.gif
About these ads

~ by moiristo on August 10, 2009.

Posted in samba
Tags: , , ,

26 Responses to “Samba: Logging User Activity”

  1. great article!
    it is that I find.

    thank you!

    Oleg Burcă said this on December 24, 2009 at 3:09 pm

  2. Thanks! I needed exactly this information.

    Alan said this on January 22, 2010 at 6:04 pm

  3. Thatk you man, that’s a very gooood info:)

    I have one question… if i have multiple shared folders, how can i view in what folder did the changes happens? how can i make full_audit to log the workig directory too?

    Thanks.

    bogdan said this on April 17, 2010 at 7:05 pm

  4. nevermind… my fault:)

    bogdan said this on April 17, 2010 at 7:10 pm

  5. The samba variables in full_audit:prefix are the key.. use %m or %S or so. i guess you figured this out already :)

    moiristo said this on April 18, 2010 at 9:10 am

  6. Thanks for the post! This is just what I’ve been looking for… for ages!

    Dave said this on November 10, 2010 at 7:47 am

  7. Thanks, you saved my day ;-)

    pawwa said this on November 16, 2010 at 3:18 pm

  8. [...] Samba: Logging User Activity « Moiristo’s Weblog [...]

    SNS activities for March 7th through March 16th « Andromeda Rabbit said this on April 9, 2011 at 12:39 pm

  9. Tnx :)

    Sasa said this on May 19, 2011 at 12:19 pm

  10. Great article. Thank you very much. I was looking for such a neat solution for so long I can’t remember.

    DS said this on May 24, 2011 at 10:10 pm

  11. hello

    thank you for the great articel. i search a long time….
    but how many perf. ( cpu, ram,.. ) use the full_audit.
    have you information about this…

    thanks

    Sandra said this on August 16, 2011 at 7:09 am

  12. I don’t know actually.. I didn’t see a significant increase of cpu/ram usage of the smbd process. I must note however that this server was not excessively used, so it might be different in your case.

    moiristo said this on August 16, 2011 at 8:10 am

  13. Just perfect. Cant thank you enough.

    marcelo said this on September 27, 2011 at 3:50 am

  14. Thanks, precisely what I needed

    Carsten Jensen said this on October 31, 2011 at 3:54 pm

  15. Thank you so much! I can’t wait till my users start using our new samba file server!!

    ~One toke? You poor fool! Wait till you see those goddamn bats.~

    Dan said this on January 13, 2012 at 12:15 am

  16. [...] and the full_audit:facility/priority options added to his example). Check this or tweaking details: http://moiristo.wordpress.com/2009/0…user-activity/ To generate emails when files are opened, you could create a script to run as a daemon, monitoring [...]

    how to check who's accessing samba shared folder from windows - Page 2 said this on April 30, 2012 at 4:19 pm

  17. Extremely useful and straightforward article ! Thanks !

    Pagaille said this on May 9, 2012 at 3:51 pm

  18. I’ve noticed that when attempting to utilize these directions.. It makes my file shares unable to be accessed from the workstation.. Force user is the problem?

    Here is my SMB.CONF

    [global]
    workgroup = SOMETHING
    netbios name = SAMPLE
    security = share

    [data]
    comment = Data
    path = /vol1/export1
    read only = No
    force user = jv
    guest ok = yes
    group = users

    Maybe you can help?

    Herb Berkley said this on June 18, 2012 at 3:29 pm

  19. No clue actually, never heard of that problem before. I did find that there are more people having some trouble with the force user option, but I don’t know if it relates to the full_audit module. See http://ubuntuforums.org/showthread.php?t=893027

    moiristo said this on June 18, 2012 at 3:56 pm

  20. https://bugzilla.samba.org/show_bug.cgi?id=8882

    Herb Berkley said this on June 18, 2012 at 6:00 pm

  21. Thanks for the info!

    moiristo said this on June 18, 2012 at 6:11 pm

  22. I had a bit of trouble getting this to go. It seems with newer versions, either Samba or rsyslog is case sensitive when it comes to facility name. These instructions have all upper case for the full_audit:facility parameter, and all lower in the syslog config. rsyslogd failed to create a log file until the name was corrected in smb.conf. Hope this helps!

    spec said this on September 14, 2012 at 2:41 am

  23. Hey there just wanted to give you a quick heads up.
    The words in your content seem to be running off the screen in
    Safari. I’m not sure if this is a formatting issue or something to do with internet browser compatibility but I thought I’d post
    to let you know. The design look great though!
    Hope you get the problem fixed soon. Kudos

    Dylan said this on January 20, 2013 at 3:02 pm

  24. @spec: Thanks for the info, I adapted the post.

    @Dylan: Thanks for noticing.. I think you mean the code block right? The template is just a default template, so it’s strange it’s not working properly. I’ll look for another template :)

    moiristo said this on January 24, 2013 at 9:42 am

  25. Greetings from California! I’m bored to tears at work so I decided to browse your site on my iphone during lunch break. I love the information you provide here and can’t wait to take a look when I get home.
    I’m shocked at how quick your blog loaded on my cell phone .. I’m not even using WIFI, just
    3G .. Anyhow, great site!

    credit repair after bankruptcy said this on May 14, 2013 at 5:22 pm

  26. Thank you for sharing your thoughts. I really appreciate your efforts
    and I am waiting for your next post thank you once again.

    nursing professor jobs philippines said this on May 14, 2013 at 10:35 pm

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

 
Follow

Get every new post delivered to your Inbox.

%d bloggers like this: