Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Samba has a audit module which can provide full logging on shares.
In the log file you will get something like that:
Code:
May 29 09:31:59 smbsrv smbd_audit: johndoe|192.168.xx.yy|machine-name|Share-name|open|ok|r|dir1/dir2/file
besides the open mode, you can get pwrite,unlink,rename,rmdir,mkdir, etc...check the documentation.
All you need is the full_audit module (/usr/lib/samba/vfs/full_audit.so) which is part of samba server (mine is samba-3.0.24-6.ccj1.rpm) and add the following in your share definition:
First, thank you for those invaluable information. From reading somewhere, following the action was the result -- in this case 'ok' followed the open action. Then what the 'r' (the 'r' between open and file name)represents for?
Other thing I would like to ask. When people open a shared directory, especially when there were a lot of sub directory within, lots of information concerning the |stat|fail were thrown into the /etc/log/messages. Can we prevent this to show up there, since I only need the rmdir, mkdir, unlink and rename logs and it makes my log messages grow up to big (60MB of file size within 4-6 hours)? Thank you in advance for your help.
PS. Pardon my english.
Regards,
sato
Quote:
Originally Posted by marozsas
Samba has a audit module which can provide full logging on shares.
In the log file you will get something like that:
Code:
May 29 09:31:59 smbsrv smbd_audit: johndoe|192.168.xx.yy|machine-name|Share-name|open|ok|r|dir1/dir2/file
Then what the 'r' (the 'r' between open and file name)represents for?
Is the open mode, in this case, opened for reading. But you can get "|w|" which stands for open for writing.
Quote:
Originally Posted by sato
Can we prevent this to show up there, since I only need the rmdir, mkdir, unlink and rename logs and it makes my log messages grow up to big (60MB of file size within 4-6 hours)?
I have no idea. Sorry....If you managed to figure out, please post the solution back in this thread.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.