How to configure SMB share to log user activities on FreeNas 11.x?

Veximus

Cadet
Joined
May 27, 2020
Messages
8
Hello,

How can I follow user activities on FreeNas 11.2 (create/modify/delete files and folders). I read many topics about that on this forum but I still don’t understand some things.

First, I saw that I need to add some code lines for vfs_audit to my SMB shares (in services/smb/Auxiliary parameters). All that tutorials are for older version of freenas (version 9.x). What’s the procedure for enabling user activity logging on freenas 11.x? I suppose that there is easier way for enabling logging on freenas 11.x…

Besides that, where does the system place that log information? I saw on some topic that all logs will be placed inside var/log/message file. How “big” that file can be and what’s going on when file reaches size limit? Does it start to replace old lines with new ones to maintain size of file? Can I redirect all that logs to some other folder inside /mnt/x/x/x folder?

I read freenas 11 documentation but I still don’t understand many things.

Thanks
 

Samuel Tai

Never underestimate your own stupidity
Moderator
Joined
Apr 24, 2020
Messages
5,398
How much logging do you want? You'll need to enable either audit or full_audit as VFS Objects.

1590575989953.png


Just pull down the triangle on the right, and check by audit or full_audit to enable.

See the official Samba documentation on audit or full_audit on the additional Auxiliary parameters needed with each.

You can control where the logs go by editing /etc/syslog.conf. Each VFS module allows you to set a syslog facility and a syslog priority. See the FreeBSD man page on syslog.conf. Syslog includes facilities LOCAL0 through LOCAL7 for local alerting requirements. You could use facility LOCAL0 and INFO priority, and then dump the logs to a dataset in your pool. You'll need to restart syslog after modifying /etc/syslog.conf by /etc/rc.d syslogd restart.
 

Veximus

Cadet
Joined
May 27, 2020
Messages
8
Hmm, I don't have VFS Object options in Services/SMB.

1.png


2.png


I need to log delete operation on files and folders.
 

Veximus

Cadet
Joined
May 27, 2020
Messages
8
add full_audit to the vfs objects list and the following auxiliary parameters:

full_audit:success = unlink
full_audit:failure = unlink

Ok, done. I put that two lines into auxiliary parameters. But I cannot see that "vfs object list" option on Services/SMB panel..:(

3.png
 

Samuel Tai

Never underestimate your own stupidity
Moderator
Joined
Apr 24, 2020
Messages
5,398

Veximus

Cadet
Joined
May 27, 2020
Messages
8
VFS Objects is in the actual share definitions, under Sharing->Windows
Thanks Samuel, I found it.

Now I have this:
4.png


Plus I added this two lines here in Auxiliary parameters (what Anodos said) and I removed it from Service/SMB.
full_audit:success = unlink
full_audit:failure = unlink


Something else that I need to do?

Sorry, I dont have much experiance with this.. :confused:
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,544
Thanks Samuel, I found it.

Now I have this:
View attachment 38851

Plus I added this two lines here in Auxiliary parameters (what Anodos said) and I removed it from Service/SMB.
full_audit:success = unlink
full_audit:failure = unlink


Something else that I need to do?

Sorry, I don't have much experiance with this.. :confused:
Restart SMB service. Aux parameters go in share configuration.
 

Veximus

Cadet
Joined
May 27, 2020
Messages
8
Ok, it works now. I saw that system put all logs inside var/log/message file. If i don't change path for logging in /etc/syslog.conf how “big” that file will grow? Is there any size limit of that file?
 

Veximus

Cadet
Joined
May 27, 2020
Messages
8
Oh, I didn't know that /var/log/messages don`t hold information after the server restarts. So, how I can save that information not to be lost, make a
script that will copy messages file to another location after certain amount of time?
 

Samuel Tai

Never underestimate your own stupidity
Moderator
Joined
Apr 24, 2020
Messages
5,398
Messages rolls over weekly. There should be /var/log/messages.[0-9].bz2 older compressed versions.
 

Veximus

Cadet
Joined
May 27, 2020
Messages
8
I have a new problem guys. When someone opens random file for printing or editing, freenas sees and logs it as an "unlink" operation... Why does the system see that as an "unlink" operation? Now my log file is full with incorrect information.
 

Samuel Tai

Never underestimate your own stupidity
Moderator
Joined
Apr 24, 2020
Messages
5,398

zantag

Dabbler
Joined
Nov 7, 2020
Messages
10
Hi i have the same issue but i really cant find VFS Objects is in the actual share definitions, under Sharing->Windows

Truenas Core 12

Any ideas?

1618327901011.png
 

jtoninger

Dabbler
Joined
Aug 29, 2018
Messages
13
Hi i have the same issue but i really cant find VFS Objects is in the actual share definitions, under Sharing->Windows

Truenas Core 12

Any ideas?

View attachment 46485
You have to add the vfs objects directly as an auxiliary parameter now for some reason. I don't know why iXsystems decided to remove the handy drop-down. And it seems like when you do this it will overwrite the default parameters in the smb config. So what I had to do was add the line:

vfs objects=streams_xattr shadow_copy_zfs aio_fbsd ixnas full_audit where the attributes streams_xattr shadow_copy_zfs aio_fbsd ixnas were the ones added by TrueNAS by default and full_audit is added to enable auditing.
 

volothamp

Explorer
Joined
Jul 28, 2019
Messages
72
You have to add the vfs objects directly as an auxiliary parameter now for some reason. I don't know why iXsystems decided to remove the handy drop-down. And it seems like when you do this it will overwrite the default parameters in the smb config. So what I had to do was add the line:

vfs objects=streams_xattr shadow_copy_zfs aio_fbsd ixnas full_audit where the attributes streams_xattr shadow_copy_zfs aio_fbsd ixnas were the ones added by TrueNAS by default and full_audit is added to enable auditing.

I spent also 20 minutes because of this problem. What's the rationale behind this?
 
Top