Samba: Logging User Activity

Ever wondered why Samba seems to log so many things, except what you’re interested in? So did I, and it took me a while to find out that 1) there actually is a solution and 2) how to configure this. Here’s how.

The solution to logging what a user is actually doing can be achieved with Stackable VFS Modules, which is available since Samba 3. Unfortunately, the link there does not describe the full_audit module, which I highly recommend using instead of audit or extd_audit. The reason for this is that I couldn’t get those modules to log simple things like a file upload by a user, unless I chose VFS log level 10.

Using the Full_audit VFS Module

If you’re running Debian unstable like I do, then full_audit is included when installed from the APT. To find out which modules you have, take a look in /usr/lib/samba/vfs. When you’re sure you have the module, configure it as follows in smb.conf:

    vfs objects = full_audit

    full_audit:prefix = %u|%I|%m|%S
    full_audit:success = mkdir rename unlink rmdir pwrite
    full_audit:failure = none
    full_audit:facility = local7
    full_audit:priority = NOTICE

Let’s go through it one line at a time.

  • vfs objects: we’d like to use the full_audit module.
  • full_audit:prefix: Every line that full_audit outputs will be prefixed by this line, in which you can use Samba variables. This line will prefix the username, IP, machine name and share name, separated by pipes.
  • full_audit:success: This specifies which actions will actually be logged when it has successfully been completed. unlink is in this case a delete action and pwrite is an upload action.
  • full_audit:failure: Specifies which actions should be logged, but which have resulted in a failure. Since a failure will often mean that nothing has been changed, I found that it is not interesting to log any of these actions.
  • full_audit:facility: By default, full_audit will only write to the system syslog, but you can specify a different ‘syslog facility’ to write all output to a different log file. Custom syslog facilities should be named local[number], where number is a number between 0 and 7 (don’t ask me why syslogd doesn’t support any name). I’ll get back on this later.
  • full_audit:priority: This line sets the severity of the log messages that are generated, like ‘notice’, ‘info’, ‘warning’, ‘debug’, ‘alert’. There are probably more, but these are the most well-known ones.

Creating a Syslogd Facility

To specify a custom log file to which full_audit should write, you should create a new syslogd facility. A facility can be described in syslog.conf. Since I had chosen the facility local7, I can add that facility to the configuration like this:

local7.*                        /var/log/samba/log.audit

This line means that all log messages of facility local7 will be written to /var/log/samba/log.audit. The star is needed to say that I’d like to log messages of any severity to the same log file. Finally, restart the syslogd daemon: /etc/init.d/sysklogd restart

Final Words

  • When things don’t seem to be working, ensure you have restarted/reloaded syslogd and samba.
  • If there is anything bad you could say about full_audit, then it would be that it can’t output log messages to the log file specified in smb.conf. I always found it very useful that Samba could log by machine name by specifying log file = /var/log/samba/log.%m, but full_audit cannot use this. If you find a way though, please let me know!
  • Other references: A blog in a language I can’t read where I took the configuration part from: Monitoring Aktivitas Samba

Output Example

Here is an example of what the configuration just explained generates:

Aug 10 11:52:52 rhino smbd_audit: moiristo|123.45.67.89|moiristo|moiristo|unlink|ok|public/Upload/hypnotoad.gif
Aug 10 11:52:59 rhino smbd_audit: moiristo|123.45.67.89|moiristo|moiristo|pwrite|ok|public/Upload/hypnotoad.gif
Aug 10 11:53:41 rhino smbd_audit: moiristo|123.45.67.89|moiristo|moiristo|rename|ok|public/Upload/hypnotoad.gif|public/Upload/hypnotoads.gif
Aug 10 11:53:51 rhino smbd_audit: moiristo|123.45.67.89|moiristo|moiristo|rename|ok|public/Upload/hypnotoads.gif|public/Upload/hypnotoad.gif
About these ads

~ by moiristo on August 10, 2009.

30 Responses to “Samba: Logging User Activity”

  1. great article!
    it is that I find.

    thank you!

  2. Thanks! I needed exactly this information.

  3. Thatk you man, that’s a very gooood info:)

    I have one question… if i have multiple shared folders, how can i view in what folder did the changes happens? how can i make full_audit to log the workig directory too?

    Thanks.

  4. nevermind… my fault:)

  5. The samba variables in full_audit:prefix are the key.. use %m or %S or so. i guess you figured this out already :)

  6. Thanks for the post! This is just what I’ve been looking for… for ages!

  7. Thanks, you saved my day ;-)

  8. [...] Samba: Logging User Activity « Moiristo’s Weblog [...]

  9. Tnx :)

  10. Great article. Thank you very much. I was looking for such a neat solution for so long I can’t remember.

  11. hello

    thank you for the great articel. i search a long time….
    but how many perf. ( cpu, ram,.. ) use the full_audit.
    have you information about this…

    thanks

  12. I don’t know actually.. I didn’t see a significant increase of cpu/ram usage of the smbd process. I must note however that this server was not excessively used, so it might be different in your case.

  13. Just perfect. Cant thank you enough.

  14. Thanks, precisely what I needed

  15. Thank you so much! I can’t wait till my users start using our new samba file server!!

    ~One toke? You poor fool! Wait till you see those goddamn bats.~

  16. [...] and the full_audit:facility/priority options added to his example). Check this or tweaking details: http://moiristo.wordpress.com/2009/0…user-activity/ To generate emails when files are opened, you could create a script to run as a daemon, monitoring [...]

  17. Extremely useful and straightforward article ! Thanks !

  18. I’ve noticed that when attempting to utilize these directions.. It makes my file shares unable to be accessed from the workstation.. Force user is the problem?

    Here is my SMB.CONF

    [global]
    workgroup = SOMETHING
    netbios name = SAMPLE
    security = share

    [data]
    comment = Data
    path = /vol1/export1
    read only = No
    force user = jv
    guest ok = yes
    group = users

    Maybe you can help?

  19. No clue actually, never heard of that problem before. I did find that there are more people having some trouble with the force user option, but I don’t know if it relates to the full_audit module. See http://ubuntuforums.org/showthread.php?t=893027

  20. https://bugzilla.samba.org/show_bug.cgi?id=8882

  21. Thanks for the info!

  22. I had a bit of trouble getting this to go. It seems with newer versions, either Samba or rsyslog is case sensitive when it comes to facility name. These instructions have all upper case for the full_audit:facility parameter, and all lower in the syslog config. rsyslogd failed to create a log file until the name was corrected in smb.conf. Hope this helps!

  23. Hey there just wanted to give you a quick heads up.
    The words in your content seem to be running off the screen in
    Safari. I’m not sure if this is a formatting issue or something to do with internet browser compatibility but I thought I’d post
    to let you know. The design look great though!
    Hope you get the problem fixed soon. Kudos

  24. @spec: Thanks for the info, I adapted the post.

    @Dylan: Thanks for noticing.. I think you mean the code block right? The template is just a default template, so it’s strange it’s not working properly. I’ll look for another template :)

  25. What I should check if it does not work to me? Services restarted, no errors noticed… samba 3.4.7 on two different machines (on both doesn’t work – log.audit is empty).

  26. Thankfulness to my father who shared with me regarding this webpage,
    this weblog is truly remarkable.

  27. My brother suggested I might like this web site.

    He was totally right. This post actually made my day.

    You can not imagine just how much time I had spent for this information!
    Thanks!

  28. I wanted to telkl you that I normally visit this blog via my
    iphone, when I’m on the bus to work, and it’s one of the
    very few blogs that I’ve come across that look good on smart phones, and that’s truly admirable.

  29. Thank you so much. It is really funny what samba is able to log, but how hard is to log just human readable and useful information.

  30. Excellent article. One question:
    I am getting logs only if someone connects to the samba share using the form \\server\share
    If they use the share via a mounted drive letter I get nothing.
    Any ideas?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
Follow

Get every new post delivered to your Inbox.

%d bloggers like this: