Samba: Logging User Activity
Ever wondered why Samba seems to log so many things, except what you’re interested in? So did I, and it took me a while to find out that 1) there actually is a solution and 2) how to configure this. Here’s how.
The solution to logging what a user is actually doing can be achieved with Stackable VFS Modules, which is available since Samba 3. Unfortunately, the link there does not describe the
full_audit module, which I highly recommend using instead of
extd_audit. The reason for this is that I couldn’t get those modules to log simple things like a file upload by a user, unless I chose VFS log level 10.
Using the Full_audit VFS Module
If you’re running Debian unstable like I do, then full_audit is included when installed from the APT. To find out which modules you have, take a look in
/usr/lib/samba/vfs. When you’re sure you have the module, configure it as follows in
vfs objects = full_audit full_audit:prefix = %u|%I|%m|%S full_audit:success = mkdir rename unlink rmdir pwrite full_audit:failure = none full_audit:facility = local7 full_audit:priority = NOTICE
Let’s go through it one line at a time.
vfs objects: we’d like to use the full_audit module.
full_audit:prefix: Every line that full_audit outputs will be prefixed by this line, in which you can use Samba variables. This line will prefix the username, IP, machine name and share name, separated by pipes.
full_audit:success: This specifies which actions will actually be logged when it has successfully been completed.
unlinkis in this case a delete action and
pwriteis an upload action.
full_audit:failure: Specifies which actions should be logged, but which have resulted in a failure. Since a failure will often mean that nothing has been changed, I found that it is not interesting to log any of these actions.
full_audit:facility: By default, full_audit will only write to the system syslog, but you can specify a different ‘syslog facility’ to write all output to a different log file. Custom syslog facilities should be named
numberis a number between 0 and 7 (don’t ask me why syslogd doesn’t support any name). I’ll get back on this later.
full_audit:priority: This line sets the severity of the log messages that are generated, like ‘notice’, ‘info’, ‘warning’, ‘debug’, ‘alert’. There are probably more, but these are the most well-known ones.
Creating a Syslogd Facility
To specify a custom log file to which full_audit should write, you should create a new syslogd facility. A facility can be described in syslog.conf. Since I had chosen the facility
local7, I can add that facility to the configuration like this:
This line means that all log messages of facility
local7 will be written to
/var/log/samba/log.audit. The star is needed to say that I’d like to log messages of any severity to the same log file. Finally, restart the
- When things don’t seem to be working, ensure you have restarted/reloaded syslogd and samba.
- If there is anything bad you could say about full_audit, then it would be that it can’t output log messages to the log file specified in smb.conf. I always found it very useful that Samba could log by machine name by specifying
log file = /var/log/samba/log.%m, but full_audit cannot use this. If you find a way though, please let me know!
- Other references: A blog in a language I can’t read where I took the configuration part from: Monitoring Aktivitas Samba
Here is an example of what the configuration just explained generates:
Aug 10 11:52:52 rhino smbd_audit: moiristo|22.214.171.124|moiristo|moiristo|unlink|ok|public/Upload/hypnotoad.gif Aug 10 11:52:59 rhino smbd_audit: moiristo|126.96.36.199|moiristo|moiristo|pwrite|ok|public/Upload/hypnotoad.gif Aug 10 11:53:41 rhino smbd_audit: moiristo|188.8.131.52|moiristo|moiristo|rename|ok|public/Upload/hypnotoad.gif|public/Upload/hypnotoads.gif Aug 10 11:53:51 rhino smbd_audit: moiristo|184.108.40.206|moiristo|moiristo|rename|ok|public/Upload/hypnotoads.gif|public/Upload/hypnotoad.gif