Samba: Logging User Activity

Ever wondered why Samba seems to log so many things, except what you’re interested in? So did I, and it took me a while to find out that 1) there actually is a solution and 2) how to configure this. Here’s how.

The solution to logging what a user is actually doing can be achieved with Stackable VFS Modules, which is available since Samba 3. Unfortunately, the link there does not describe the full_audit module, which I highly recommend using instead of audit or extd_audit. The reason for this is that I couldn’t get those modules to log simple things like a file upload by a user, unless I chose VFS log level 10.

Using the Full_audit VFS Module

If you’re running Debian unstable like I do, then full_audit is included when installed from the APT. To find out which modules you have, take a look in /usr/lib/samba/vfs. When you’re sure you have the module, configure it as follows in smb.conf:

    vfs objects = full_audit

    full_audit:prefix = %u|%I|%m|%S
    full_audit:success = mkdir rename unlink rmdir pwrite
    full_audit:failure = none
    full_audit:facility = local7
    full_audit:priority = NOTICE

Let’s go through it one line at a time.

  • vfs objects: we’d like to use the full_audit module.
  • full_audit:prefix: Every line that full_audit outputs will be prefixed by this line, in which you can use Samba variables. This line will prefix the username, IP, machine name and share name, separated by pipes.
  • full_audit:success: This specifies which actions will actually be logged when it has successfully been completed. unlink is in this case a delete action and pwrite is an upload action.
  • full_audit:failure: Specifies which actions should be logged, but which have resulted in a failure. Since a failure will often mean that nothing has been changed, I found that it is not interesting to log any of these actions.
  • full_audit:facility: By default, full_audit will only write to the system syslog, but you can specify a different ‘syslog facility’ to write all output to a different log file. Custom syslog facilities should be named local[number], where number is a number between 0 and 7 (don’t ask me why syslogd doesn’t support any name). I’ll get back on this later.
  • full_audit:priority: This line sets the severity of the log messages that are generated, like ‘notice’, ‘info’, ‘warning’, ‘debug’, ‘alert’. There are probably more, but these are the most well-known ones.

Creating a Syslogd Facility

To specify a custom log file to which full_audit should write, you should create a new syslogd facility. A facility can be described in syslog.conf. Since I had chosen the facility local7, I can add that facility to the configuration like this:

local7.*                        /var/log/samba/log.audit

This line means that all log messages of facility local7 will be written to /var/log/samba/log.audit. The star is needed to say that I’d like to log messages of any severity to the same log file. Finally, restart the syslogd daemon: /etc/init.d/sysklogd restart

Final Words

  • When things don’t seem to be working, ensure you have restarted/reloaded syslogd and samba.
  • If there is anything bad you could say about full_audit, then it would be that it can’t output log messages to the log file specified in smb.conf. I always found it very useful that Samba could log by machine name by specifying log file = /var/log/samba/log.%m, but full_audit cannot use this. If you find a way though, please let me know!
  • Other references: A blog in a language I can’t read where I took the configuration part from: Monitoring Aktivitas Samba

Output Example

Here is an example of what the configuration just explained generates:

Aug 10 11:52:52 rhino smbd_audit: moiristo||moiristo|moiristo|unlink|ok|public/Upload/hypnotoad.gif
Aug 10 11:52:59 rhino smbd_audit: moiristo||moiristo|moiristo|pwrite|ok|public/Upload/hypnotoad.gif
Aug 10 11:53:41 rhino smbd_audit: moiristo||moiristo|moiristo|rename|ok|public/Upload/hypnotoad.gif|public/Upload/hypnotoads.gif
Aug 10 11:53:51 rhino smbd_audit: moiristo||moiristo|moiristo|rename|ok|public/Upload/hypnotoads.gif|public/Upload/hypnotoad.gif

~ by moiristo on August 10, 2009.

40 Responses to “Samba: Logging User Activity”

  1. great article!
    it is that I find.

    thank you!

  2. Thanks! I needed exactly this information.

  3. Thatk you man, that’s a very gooood info:)

    I have one question… if i have multiple shared folders, how can i view in what folder did the changes happens? how can i make full_audit to log the workig directory too?


  4. nevermind… my fault:)

  5. The samba variables in full_audit:prefix are the key.. use %m or %S or so. i guess you figured this out already :)

  6. Thanks for the post! This is just what I’ve been looking for… for ages!

  7. Thanks, you saved my day ;-)

  8. […] Samba: Logging User Activity « Moiristo’s Weblog […]

  9. Tnx :)

  10. Great article. Thank you very much. I was looking for such a neat solution for so long I can’t remember.

  11. hello

    thank you for the great articel. i search a long time….
    but how many perf. ( cpu, ram,.. ) use the full_audit.
    have you information about this…


  12. I don’t know actually.. I didn’t see a significant increase of cpu/ram usage of the smbd process. I must note however that this server was not excessively used, so it might be different in your case.

  13. Just perfect. Cant thank you enough.

  14. Thanks, precisely what I needed

  15. Thank you so much! I can’t wait till my users start using our new samba file server!!

    ~One toke? You poor fool! Wait till you see those goddamn bats.~

  16. […] and the full_audit:facility/priority options added to his example). Check this or tweaking details:…user-activity/ To generate emails when files are opened, you could create a script to run as a daemon, monitoring […]

  17. Extremely useful and straightforward article ! Thanks !

  18. I’ve noticed that when attempting to utilize these directions.. It makes my file shares unable to be accessed from the workstation.. Force user is the problem?

    Here is my SMB.CONF

    workgroup = SOMETHING
    netbios name = SAMPLE
    security = share

    comment = Data
    path = /vol1/export1
    read only = No
    force user = jv
    guest ok = yes
    group = users

    Maybe you can help?

  19. No clue actually, never heard of that problem before. I did find that there are more people having some trouble with the force user option, but I don’t know if it relates to the full_audit module. See


  21. Thanks for the info!

  22. I had a bit of trouble getting this to go. It seems with newer versions, either Samba or rsyslog is case sensitive when it comes to facility name. These instructions have all upper case for the full_audit:facility parameter, and all lower in the syslog config. rsyslogd failed to create a log file until the name was corrected in smb.conf. Hope this helps!

  23. Hey there just wanted to give you a quick heads up.
    The words in your content seem to be running off the screen in
    Safari. I’m not sure if this is a formatting issue or something to do with internet browser compatibility but I thought I’d post
    to let you know. The design look great though!
    Hope you get the problem fixed soon. Kudos

  24. @spec: Thanks for the info, I adapted the post.

    @Dylan: Thanks for noticing.. I think you mean the code block right? The template is just a default template, so it’s strange it’s not working properly. I’ll look for another template :)

  25. What I should check if it does not work to me? Services restarted, no errors noticed… samba 3.4.7 on two different machines (on both doesn’t work – log.audit is empty).

  26. Thankfulness to my father who shared with me regarding this webpage,
    this weblog is truly remarkable.

  27. My brother suggested I might like this web site.

    He was totally right. This post actually made my day.

    You can not imagine just how much time I had spent for this information!

  28. I wanted to telkl you that I normally visit this blog via my
    iphone, when I’m on the bus to work, and it’s one of the
    very few blogs that I’ve come across that look good on smart phones, and that’s truly admirable.

  29. Thank you so much. It is really funny what samba is able to log, but how hard is to log just human readable and useful information.

  30. Excellent article. One question:
    I am getting logs only if someone connects to the samba share using the form \\server\share
    If they use the share via a mounted drive letter I get nothing.
    Any ideas?

  31. Hi everybody,
    I am interesting in erotic photography.

    Just want to know if I can speak to anyone here about this topic.

    Rank DDoS protection up to 140 GB / s
    Custody of plan projects Genealogy2, WoW, Aion and other from DDoS to 140 GB / c.
    Refuge proxies without emotive the plat to our server.
    The method of theme articulation Nginx, GRE tunnel.
    Hosted protected from DDoS.
    VDS server with safe keeping against DDoS.
    Dedicated server with screen against DDoS.
    The test stretch in return use hosting, VDS 3 days.
    [url = Hosting protected against DDoS [/ url]

  33. zithromax std online.

  34. you can buy our sex-toys right here: premium sex toys

  35. Whatdya think? I’m Karen, 24 years old :) i’m having an anxiety attack… I have opened a new information portal about the symptoms and causes of anxiety, insomnia and depression Here are some of my thoughts – How to Identify Panic and Anxiety Disorders. Most people really feel anxious or terrified when dealing with a harmful or traumatic situation, however, some individuals feel an extreme sense of worry or fear every single day. Those who suffer the pain of anxiety conditions typically feel fearful and anxious regarding the world all around them, and might experience severe effects of anxiety that change into an anxiety attack of panic disorder from normal situations. With Agoraphobia- Often recurrent panic attacks become associated with the places in which they occur. As the person attempts to avoid these places, either in the hope of not triggering an attack or not having help available, or being unable to escape, their freedom of movement and lifestyle may become severely restricted. Without Agoraphobia- Panic attacks occur, but without the consequence of avoidant behavior. Sexual Dysfunction. Impotency, loss of lubrication, loss of libido, inability to have penatrative sex. and the list goes on. It is very common for bot the need to have sex and the physical ability to do so to stop during anxiety disorders. This will all return to normal once the anxiety disorder has gone. Can you imagine living a life without anxiety or panic? Are you sick of the fear of an anxiety or panic attack overwhelming you and stopping you from living your life? If you were offered a way to make your symptoms of anxiety and panic disappear would you try it? If you were taught a method of treating and eradicating the causes of your panic and anxiety in a way that was medication free and offered you a complete refund if you weren’t satisfied, would you give it a try? If you were offered a way of treating your anxiety or panic that had worked for hundreds of thousands of people and was offered to be effective and included a satisfaction guarantee, would you be interested to try it? We have sourced over a dozen products designed to alleviate the symptoms, address the causes and eradicate the fear, panic and anxiety. Once and for all. It is often difficult to pinpoint the exact causes of panic disorder, because so many factors are involved ( emotional and physical problems, traumatic events. and so forth). But because women are twice as likely to suffer from panic disorder as men, most commonly during PMS, pregnancy, and menopause, doctors have come to conclude that hormones are typically the underlying cause. Finally, hormonal fluctuations during menopause cause panic disorder due to drops in the hormone progesterone. Progesterone has been shown to have a calming, soothing affect on the brain, and low levels of progesterone (in combination with the hormonal changes described above) can cause panic disorder. Clinical studies suggest a correlation between anxiety disorders and dysfunction in the amygdala, a part of the brain involved in attaching emotional resonance to events occurring in a person’s environment. Also, a low level of gamma aminobutyric acid (GABA) a neurotransmitter that inhibits energy in the brain seems to contribute to heightened anxiety. The use of alcohol has also been shown to reduce GABA in the brain, making it harder for alcohol users to naturally calm their anxiety. Please, comment my topic!

  36. Привет это интернет-казино.
    Барыш 70% попробуй поиграть на виртуальные деньги.
    Ничто больше не буду утверждать всегда и беспричинно увидешь.
    P.S. Я каждый капитал играю на настоящие касса и выигрываю по 235, 178, 437, 509 рублей.
    Желание не большая число, однако и энтузиазм и мелочь остаются быть мне.

  37. Hi,

    your article is good but not providing the infomation that I needed. Actually I am getting the log of all the subdirectories, even If i do not open them.I just need the log of the directory which I open or modify, not all the directories which resides within samba share.

  38. Hi This is worked for me. But i need to compressed log files send to mail. how to configure the log rotation.

  39. Hi,

    Thanks For support. also pls share parameter of mv (if file move from folder) full_audit:success =

  40. You can add to your /etc/logrotate.d/samba :

    /var/log/samba/log.audit {
    rotate 7
    [ ! -f /var/run/samba/ ] || kill -HUP `cat /var/run/samba/`

    For weekly rotation for log.audit

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Get every new post delivered to your Inbox.

%d bloggers like this: