Logging on SMB shares only showing open,close

P

ProbablyGetRoasted

Cadet
Joined
May 25, 2023
Messages
9
We are using TrueNAS-SCALE-22.12.3.1

I am sending our syslogs to a Wazuh server.
currently in System Settings > Services > SMB > Advanced Options I have log level set to FULL and checked off Use Syslog Only.

When I reference the logs either in wazuh or FreeNas, all I see are open and close on files, which is dandy, but I am looking for more, like when permissions are changed on a file. (We access the shares from Windows computers) I have tested Deleting a file, copying a file, changing Permissions on a file and the only show up as Open and Close in logs. they look like this

(this is a file delete)
2023 Sep 08 07:36:31 nas.x.com->10.0.x.x Sep 8 07:36:31 nas.x.com smbd[1248779]: smbd_dirptr_get_entry mask=[*] found Public/Sysmon/gurpt.txt fname=gurpt.txt (gurpt.txt)
2023 Sep 08 07:36:31 nas.x.com->10.0.x.x Sep 8 07:36:31 nas.x.com smbd[1248779]: smbd_dirptr_get_entry mask=[*] found Public/Sysmon/gurpt.txt fname=gurpt.txt (gurpt.txt)
2023 Sep 08 07:36:39 nas.x.com->10.0.x.x Sep 8 07:36:38 nas.x.com smbd[1248779]: domain\user opened file Public/Sysmon/gurpt.txt read=No write=No (numopen=8)
2023 Sep 08 07:36:39 nas.x.com->10.0.x.x Sep 8 07:36:38 nas.x.com smbd[1248779]: domain\user closed file Public/Sysmon/gurpt.txt (numopen=6) NT_STATUS_OK
2023 Sep 08 07:36:40 nas.x.com->10.0.x.x Sep 8 07:36:40 nas.x.com smbd[1248779]: smbd_dirptr_get_entry mask=[*] found Public/Sysmon/gurpt.txt fname=gurpt.txt (gurpt.txt)
2023 Sep 08 07:36:41 nas.x.com->10.0.x.x Sep 8 07:36:41 nas.x.com smbd[1248779]: domain\user closed file Public/Sysmon/gurpt.txt (numopen=0) NT_STATUS_OK
2023 Sep 08 07:36:41 nas.x.com->10.0.x.x Sep 8 07:36:40 nas.x.com smbd[1248779]: domain\user opened file Public/Sysmon/gurpt.txt read=No write=No (numopen=2)

I have seen a lot of talk of using full_audit as a auxiliary parameter, which I have tried.
Currently I have set
full_audit:success = all
under Aux param for SMB.

For the Syslog logging I have "info" selected as the log level.

any help would be greatly appreciated!

thank you
 
Johnny Fartpants

Johnny Fartpants

Guru
Joined
Jul 3, 2015
Messages
926
Have you tried adding something like the below in SMB Global Config?

full_audit:success = mkdirat renameat unlinkat

Other options include:


PS: I can only speak for CORE not SCALE.
 
P

ProbablyGetRoasted

Cadet
Joined
May 25, 2023
Messages
9
@Johnny Fartpants
I just tried this and still nothing. I can see the rename, but I could already see that one before.
I added the success= all so that I could see everything, but yeah logs still look the exact same after adding.
 
Johnny Fartpants

Johnny Fartpants

Guru
Joined
Jul 3, 2015
Messages
926
What have you got in your share config?

Have you restarted SMB?
 
P

ProbablyGetRoasted

Cadet
Joined
May 25, 2023
Messages
9
1694188778426.png


and honestly, I guess because I was seeing "syslog restarting" after saving the aux param I figured it was reloading in the aux parameters, so no I have not restarted SMB if it does not automatically restart after saving changes. If that is the case I will restart the service tonight and check.
 
Johnny Fartpants

Johnny Fartpants

Guru
Joined
Jul 3, 2015
Messages
926
Again not sure about SCALE but CORE only needs:

vfs objects=full_audit

in the share config. Its the global config where you set parameters.
 
P

ProbablyGetRoasted

Cadet
Joined
May 25, 2023
Messages
9
@Johnny Fartpants Unfortunately that did not result in a success. Last night I restarted SMB through the GUI by toggling the switch for SMB.
Looked back at logs and they are still the same. If anyone else has suggestions this would be much appreciated.
 
P

ProbablyGetRoasted

Cadet
Joined
May 25, 2023
Messages
9
****UPDATE****

I have made if further in the logging. On my share aux parameters I have

vfs objects = full_audit zfsacl
full_audit:failure = connect
full_audit:success = all

on my SMB aux params I have
1695132446225.png


If I go to /var/log/ and tail the syslog file I get info like this

Sep 19 10:06:46 tn-test.ex.COM smbd_audit[762316]: ex\xxxx|10.00.00.244|openat|ok|r|/mnt/data/Depts/IT
Sep 19 10:06:46 tn-test.ex.COM smbd_audit[762316]: ex\xxxx|10.000.000.244|fstat|ok|/mnt/data/Depts/IT
Sep 19 10:06:46 tn-test.ex.COM smbd_audit[762316]: ex\xxxx|10.000.0000.244|file_id_create|ok|42:34:0

WHICH IS WHAT I WANT, so made a little progress.....but now if I go to edit ACL's on a file I get an error below

1695132433369.png


If I take away the
vfs objects = full_audit zfsacl
from the share aux parameters I am able to change the acls on the file....any help would really be appreciated.
Again we use TrueNas Scale.

thank you
 
You must log in or register to reply here.

Similar threads

T
SOLVED Unable to copy file permissions
Replies
1
Views
2K
tbol.inq
T
R
  • Locked
FreeNAS 11.0-U3 Active Directory Down Enable After some time
Replies
7
Views
2K
razor1299
R
D
  • Locked
SMB sharing issue on fresh install
Replies
3
Views
1K
anodos
anodos
A
  • Locked
FreeNAS CIFS with HYPER-V CORE
Replies
5
Views
2K
Alexandre Trevizoli
A
T
  • Locked
Can't get FreeNAS to sync with Active Directory
2
Replies
22
Views
6K
Vpluar
V
Top