Samba: Logging User Activity

Ever wondered why Samba seems to log so many things, except what you’re interested in? So did I, and it took me a while to find out that 1) there actually is a solution and 2) how to configure this. Here’s how.

The solution to logging what a user is actually doing can be achieved with Stackable VFS Modules, which is available since Samba 3. Unfortunately, the link there does not describe the full_audit module, which I highly recommend using instead of audit or extd_audit. The reason for this is that I couldn’t get those modules to log simple things like a file upload by a user, unless I chose VFS log level 10.

Using the Full_audit VFS Module

If you’re running Debian unstable like I do, then full_audit is included when installed from the APT. To find out which modules you have, take a look in /usr/lib/samba/vfs. When you’re sure you have the module, configure it as follows in smb.conf:

    vfs objects = full_audit

    full_audit:prefix = %u|%I|%m|%S
    full_audit:success = mkdir rename unlink rmdir pwrite
    full_audit:failure = none
    full_audit:facility = local7
    full_audit:priority = NOTICE

Let’s go through it one line at a time.

  • vfs objects: we’d like to use the full_audit module.
  • full_audit:prefix: Every line that full_audit outputs will be prefixed by this line, in which you can use Samba variables. This line will prefix the username, IP, machine name and share name, separated by pipes.
  • full_audit:success: This specifies which actions will actually be logged when it has successfully been completed. unlink is in this case a delete action and pwrite is an upload action.
  • full_audit:failure: Specifies which actions should be logged, but which have resulted in a failure. Since a failure will often mean that nothing has been changed, I found that it is not interesting to log any of these actions.
  • full_audit:facility: By default, full_audit will only write to the system syslog, but you can specify a different ‘syslog facility’ to write all output to a different log file. Custom syslog facilities should be named local[number], where number is a number between 0 and 7 (don’t ask me why syslogd doesn’t support any name). I’ll get back on this later.
  • full_audit:priority: This line sets the severity of the log messages that are generated, like ‘notice’, ‘info’, ‘warning’, ‘debug’, ‘alert’. There are probably more, but these are the most well-known ones.

Creating a Syslogd Facility

To specify a custom log file to which full_audit should write, you should create a new syslogd facility. A facility can be described in syslog.conf. Since I had chosen the facility local7, I can add that facility to the configuration like this:

local7.*                        /var/log/samba/log.audit

This line means that all log messages of facility local7 will be written to /var/log/samba/log.audit. The star is needed to say that I’d like to log messages of any severity to the same log file. Finally, restart the syslogd daemon: /etc/init.d/sysklogd restart

Final Words

  • When things don’t seem to be working, ensure you have restarted/reloaded syslogd and samba.
  • If there is anything bad you could say about full_audit, then it would be that it can’t output log messages to the log file specified in smb.conf. I always found it very useful that Samba could log by machine name by specifying log file = /var/log/samba/log.%m, but full_audit cannot use this. If you find a way though, please let me know!
  • Other references: A blog in a language I can’t read where I took the configuration part from: Monitoring Aktivitas Samba

Output Example

Here is an example of what the configuration just explained generates:

Aug 10 11:52:52 rhino smbd_audit: moiristo||moiristo|moiristo|unlink|ok|public/Upload/hypnotoad.gif
Aug 10 11:52:59 rhino smbd_audit: moiristo||moiristo|moiristo|pwrite|ok|public/Upload/hypnotoad.gif
Aug 10 11:53:41 rhino smbd_audit: moiristo||moiristo|moiristo|rename|ok|public/Upload/hypnotoad.gif|public/Upload/hypnotoads.gif
Aug 10 11:53:51 rhino smbd_audit: moiristo||moiristo|moiristo|rename|ok|public/Upload/hypnotoads.gif|public/Upload/hypnotoad.gif

~ by moiristo on August 10, 2009.

36 Responses to “Samba: Logging User Activity”

  1. great article!
    it is that I find.

    thank you!

  2. Thanks! I needed exactly this information.

  3. Thatk you man, that’s a very gooood info:)

    I have one question… if i have multiple shared folders, how can i view in what folder did the changes happens? how can i make full_audit to log the workig directory too?


  4. nevermind… my fault:)

  5. The samba variables in full_audit:prefix are the key.. use %m or %S or so. i guess you figured this out already 🙂

  6. Thanks for the post! This is just what I’ve been looking for… for ages!

  7. Thanks, you saved my day 😉

  8. […] Samba: Logging User Activity « Moiristo’s Weblog […]

  9. Tnx 🙂

  10. Great article. Thank you very much. I was looking for such a neat solution for so long I can’t remember.

  11. hello

    thank you for the great articel. i search a long time….
    but how many perf. ( cpu, ram,.. ) use the full_audit.
    have you information about this…


  12. I don’t know actually.. I didn’t see a significant increase of cpu/ram usage of the smbd process. I must note however that this server was not excessively used, so it might be different in your case.

  13. Just perfect. Cant thank you enough.

  14. Thanks, precisely what I needed

  15. Thank you so much! I can’t wait till my users start using our new samba file server!!

    ~One toke? You poor fool! Wait till you see those goddamn bats.~

  16. […] and the full_audit:facility/priority options added to his example). Check this or tweaking details:…user-activity/ To generate emails when files are opened, you could create a script to run as a daemon, monitoring […]

  17. Extremely useful and straightforward article ! Thanks !

  18. I’ve noticed that when attempting to utilize these directions.. It makes my file shares unable to be accessed from the workstation.. Force user is the problem?

    Here is my SMB.CONF

    workgroup = SOMETHING
    netbios name = SAMPLE
    security = share

    comment = Data
    path = /vol1/export1
    read only = No
    force user = jv
    guest ok = yes
    group = users

    Maybe you can help?

  19. No clue actually, never heard of that problem before. I did find that there are more people having some trouble with the force user option, but I don’t know if it relates to the full_audit module. See


  21. Thanks for the info!

  22. I had a bit of trouble getting this to go. It seems with newer versions, either Samba or rsyslog is case sensitive when it comes to facility name. These instructions have all upper case for the full_audit:facility parameter, and all lower in the syslog config. rsyslogd failed to create a log file until the name was corrected in smb.conf. Hope this helps!

  23. Hey there just wanted to give you a quick heads up.
    The words in your content seem to be running off the screen in
    Safari. I’m not sure if this is a formatting issue or something to do with internet browser compatibility but I thought I’d post
    to let you know. The design look great though!
    Hope you get the problem fixed soon. Kudos

  24. @spec: Thanks for the info, I adapted the post.

    @Dylan: Thanks for noticing.. I think you mean the code block right? The template is just a default template, so it’s strange it’s not working properly. I’ll look for another template 🙂

  25. What I should check if it does not work to me? Services restarted, no errors noticed… samba 3.4.7 on two different machines (on both doesn’t work – log.audit is empty).

  26. Thank you so much. It is really funny what samba is able to log, but how hard is to log just human readable and useful information.

  27. Excellent article. One question:
    I am getting logs only if someone connects to the samba share using the form \\server\share
    If they use the share via a mounted drive letter I get nothing.
    Any ideas?

  28. Hi,

    your article is good but not providing the infomation that I needed. Actually I am getting the log of all the subdirectories, even If i do not open them.I just need the log of the directory which I open or modify, not all the directories which resides within samba share.

  29. Hi This is worked for me. But i need to compressed log files send to mail. how to configure the log rotation.

  30. Hi,

    Thanks For support. also pls share parameter of mv (if file move from folder) full_audit:success =

  31. You can add to your /etc/logrotate.d/samba :

    /var/log/samba/log.audit {
    rotate 7
    [ ! -f /var/run/samba/ ] || kill -HUP `cat /var/run/samba/`

    For weekly rotation for log.audit

  32. Hello
    Is it possible to split log files based on username ?

  33. Hi all,
    This blog post is very outdated, but I’m leaving it here as it seems that it’s still helping people. Unfortunately I don’t maintain a server anymore, so I can’t help you with your questions. Commenting will remain enabled however, so you might get a response from a follower of this post.

  34. Ok thanks for your reply anyway 😉

  35. My up to date network outline:

  36. […] Samba: Logging User Activity !!! можно настроить глобально или, на конкретном ресурсе !!! […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: