reysolowalker
Cadet
- Joined
- Feb 21, 2023
- Messages
- 4
Hi,
I have been struggling to get Samba auditing to work correctly for a while now and I have a few strange issues that I haven't found elsewhere on the forums.
Firstly, here are some of the changes I've made:
Services → SMB → Auxiliary Parameters:
full_audit:prefix = %u | %I | %m | %S
full_audit:failure = connect
full_audit:success = connect mkdirat renameat unlinkat linkat open
full_audit:facility = LOCAL5
full_audit:priority = NOTICE
Sharing → Windows Shares (SMB) → [Share Name] → Advanced Options → Auxiliary Parameters):
vfs objects=full_audit
Updated “/conf/base/etc/local/syslog-ng.conf.freenas” to try to store logs at “/var/log/samba4/activity.log”:
destination m_samba_audit { file("/var/log/samba4/activity.log"); };
log { source(src); filter(f_local5);destination(m_samba_audit); flags(final); };
Changes Made to “/etc/syslog.conf“ and “/conf/base/etc/syslog.conf“ (not sure which one works, if any):
*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err;local5.none /var/log/messages
And now for the issues I'm having:
Would appreciate any insight on this as I am quite lost at the moment. Thanks!
I have been struggling to get Samba auditing to work correctly for a while now and I have a few strange issues that I haven't found elsewhere on the forums.
Firstly, here are some of the changes I've made:
Services → SMB → Auxiliary Parameters:
full_audit:prefix = %u | %I | %m | %S
full_audit:failure = connect
full_audit:success = connect mkdirat renameat unlinkat linkat open
full_audit:facility = LOCAL5
full_audit:priority = NOTICE
Sharing → Windows Shares (SMB) → [Share Name] → Advanced Options → Auxiliary Parameters):
vfs objects=full_audit
Updated “/conf/base/etc/local/syslog-ng.conf.freenas” to try to store logs at “/var/log/samba4/activity.log”:
destination m_samba_audit { file("/var/log/samba4/activity.log"); };
log { source(src); filter(f_local5);destination(m_samba_audit); flags(final); };
Changes Made to “/etc/syslog.conf“ and “/conf/base/etc/syslog.conf“ (not sure which one works, if any):
*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err;local5.none /var/log/messages
And now for the issues I'm having:
- Logging DOES go to "/var/log/samba4/activity.log" but it also logs to "/var/log/messages". Is there any way to get this to ONLY go to activity.log? I thought editing syslog.conf would help with this but so far I haven't had any luck.
- For some reason nginx is spamming "/var/log/samba4/activity.log" with: Feb 21 15:07:45 truenas nginx: 192.168.1.121 - - [21/Feb/2023:15:07:45 -0700] "GET /websocket HTTP/1.1" 101 387 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36"
- Note that nginx is NOT spamming "/var/log/messages" with this
- Any idea what this is and why the heck it's showing up in my samba activity.log?
Would appreciate any insight on this as I am quite lost at the moment. Thanks!