ProbablyGetRoasted
Cadet
- Joined
- May 25, 2023
- Messages
- 9
We are using TrueNAS-SCALE-22.12.3.1
I am sending our syslogs to a Wazuh server.
currently in System Settings > Services > SMB > Advanced Options I have log level set to FULL and checked off Use Syslog Only.
When I reference the logs either in wazuh or FreeNas, all I see are open and close on files, which is dandy, but I am looking for more, like when permissions are changed on a file. (We access the shares from Windows computers) I have tested Deleting a file, copying a file, changing Permissions on a file and the only show up as Open and Close in logs. they look like this
(this is a file delete)
2023 Sep 08 07:36:31 nas.x.com->10.0.x.x Sep 8 07:36:31 nas.x.com smbd[1248779]: smbd_dirptr_get_entry mask=[*] found Public/Sysmon/gurpt.txt fname=gurpt.txt (gurpt.txt)
2023 Sep 08 07:36:31 nas.x.com->10.0.x.x Sep 8 07:36:31 nas.x.com smbd[1248779]: smbd_dirptr_get_entry mask=[*] found Public/Sysmon/gurpt.txt fname=gurpt.txt (gurpt.txt)
2023 Sep 08 07:36:39 nas.x.com->10.0.x.x Sep 8 07:36:38 nas.x.com smbd[1248779]: domain\user opened file Public/Sysmon/gurpt.txt read=No write=No (numopen=8)
2023 Sep 08 07:36:39 nas.x.com->10.0.x.x Sep 8 07:36:38 nas.x.com smbd[1248779]: domain\user closed file Public/Sysmon/gurpt.txt (numopen=6) NT_STATUS_OK
2023 Sep 08 07:36:40 nas.x.com->10.0.x.x Sep 8 07:36:40 nas.x.com smbd[1248779]: smbd_dirptr_get_entry mask=[*] found Public/Sysmon/gurpt.txt fname=gurpt.txt (gurpt.txt)
2023 Sep 08 07:36:41 nas.x.com->10.0.x.x Sep 8 07:36:41 nas.x.com smbd[1248779]: domain\user closed file Public/Sysmon/gurpt.txt (numopen=0) NT_STATUS_OK
2023 Sep 08 07:36:41 nas.x.com->10.0.x.x Sep 8 07:36:40 nas.x.com smbd[1248779]: domain\user opened file Public/Sysmon/gurpt.txt read=No write=No (numopen=2)
I have seen a lot of talk of using full_audit as a auxiliary parameter, which I have tried.
Currently I have set
full_audit:success = all
under Aux param for SMB.
For the Syslog logging I have "info" selected as the log level.
any help would be greatly appreciated!
thank you
I am sending our syslogs to a Wazuh server.
currently in System Settings > Services > SMB > Advanced Options I have log level set to FULL and checked off Use Syslog Only.
When I reference the logs either in wazuh or FreeNas, all I see are open and close on files, which is dandy, but I am looking for more, like when permissions are changed on a file. (We access the shares from Windows computers) I have tested Deleting a file, copying a file, changing Permissions on a file and the only show up as Open and Close in logs. they look like this
(this is a file delete)
2023 Sep 08 07:36:31 nas.x.com->10.0.x.x Sep 8 07:36:31 nas.x.com smbd[1248779]: smbd_dirptr_get_entry mask=[*] found Public/Sysmon/gurpt.txt fname=gurpt.txt (gurpt.txt)
2023 Sep 08 07:36:31 nas.x.com->10.0.x.x Sep 8 07:36:31 nas.x.com smbd[1248779]: smbd_dirptr_get_entry mask=[*] found Public/Sysmon/gurpt.txt fname=gurpt.txt (gurpt.txt)
2023 Sep 08 07:36:39 nas.x.com->10.0.x.x Sep 8 07:36:38 nas.x.com smbd[1248779]: domain\user opened file Public/Sysmon/gurpt.txt read=No write=No (numopen=8)
2023 Sep 08 07:36:39 nas.x.com->10.0.x.x Sep 8 07:36:38 nas.x.com smbd[1248779]: domain\user closed file Public/Sysmon/gurpt.txt (numopen=6) NT_STATUS_OK
2023 Sep 08 07:36:40 nas.x.com->10.0.x.x Sep 8 07:36:40 nas.x.com smbd[1248779]: smbd_dirptr_get_entry mask=[*] found Public/Sysmon/gurpt.txt fname=gurpt.txt (gurpt.txt)
2023 Sep 08 07:36:41 nas.x.com->10.0.x.x Sep 8 07:36:41 nas.x.com smbd[1248779]: domain\user closed file Public/Sysmon/gurpt.txt (numopen=0) NT_STATUS_OK
2023 Sep 08 07:36:41 nas.x.com->10.0.x.x Sep 8 07:36:40 nas.x.com smbd[1248779]: domain\user opened file Public/Sysmon/gurpt.txt read=No write=No (numopen=2)
I have seen a lot of talk of using full_audit as a auxiliary parameter, which I have tried.
Currently I have set
full_audit:success = all
under Aux param for SMB.
For the Syslog logging I have "info" selected as the log level.
any help would be greatly appreciated!
thank you