(Solved) How to Set samba audit?

akong

Dabbler
Joined
Mar 5, 2014
Messages
26
Hello,
I install truenas and want enable samba audit.But I has try many solution.It's not working.
How to enable samba audit?
 

sretalla

Powered by Neutrality
Moderator
Joined
Jan 1, 2016
Messages
9,700
On your share(s), set the Auxiliary parameters to contain:
vfs objects=full_audit

And under your Services | SMB (edit with the pencil), set the Auxilary Parameters to this:
Code:
full_audit:prefix =%u|%I|%m|%S
full_audit:failure =connect
full_audit:success =mkdir rmdir write pwrite sendfile rename unlink
full_audit:facility =LOCAL5
full_audit:priority =NOTICE


Personally, I prefer to then use another syslog analysis tool like graylog to look at that, so you may want to redirect your system logs to a platform like that rather than just looking in the logs by yourself:

System | Advanced | Syslog
 

ebricca

Cadet
Joined
Mar 30, 2016
Messages
4
this is what I did for the latest truenas 13 u2
for my individual smb shares
advanced options > in field auxiliary parameters
full_audit:success = mkdirat renameat unlinkat fcntl
full_audit:failure = mkdirat renameat unlinkat fcntl
full_audit:facility = user
full_audit:priority = NOTICE
nfs4:mode = simple
fruit:nfs_aces = no
vfs objects = zfs_space zfsacl streams_xattr full_audit fruit catia

not entirely sure what to use best for file touch (write / file-create / .. )
fcntl was the one that created the least clutter

all old settings like e.g. unlink caused full_audit to spit out the events unfiltered
settings for the current installed samba visible under
man vfs_full_audit

to reload the settings I ran after having set the auxiliary parameters on the individual shares a smb restart
service samba_server onerestart
 

Montttiii

Dabbler
Joined
Oct 26, 2020
Messages
11
On your share(s), set the Auxiliary parameters to contain:
vfs objects=full_audit

And under your Services | SMB (edit with the pencil), set the Auxilary Parameters to this:
Code:
full_audit:prefix =%u|%I|%m|%S
full_audit:failure =connect
full_audit:success =mkdir rmdir write pwrite sendfile rename unlink
full_audit:facility =LOCAL5
full_audit:priority =NOTICE


Personally, I prefer to then use another syslog analysis tool like graylog to look at that, so you may want to redirect your system logs to a platform like that rather than just looking in the logs by yourself:

System | Advanced | Syslog

Hello, when performing a tail -f on the following route: tail -f /var/db/system/syslog-3adcc44658cc44c8ad6338539ba7431a/log/messages, it shows me this information:

Nov 27 19:18:33 truenas smbd_audit[3590850]: hdiaz|192.168.1.67|desktop-8kbottk|DATA HOSD|stat|ok|/mnt/CATA/DATA HOSD
Nov 27 19:18:33 truenas smbd_audit[3590850]: hdiaz|192.168.1.67|desktop-8kbottk|DATA HOSD|file_id_create|ok|54:2407:0
Nov 27 19:18:33 truenas smbd_audit[3590850]: hdiaz|192.168.1.67|desktop-8kbottk|DATA HOSD|stat|ok|/mnt/CATA/DATA HOSD/h
Nov 27 19:18:33 truenas smbd_audit[3590850]: hdiaz|192.168.1.67|desktop-8kbottk|DATA HOSD|fgetxattr|ok|/mnt/CATA/DATA HOSD/h|user.DOSATTRIB
Nov 27 19:18:33 truenas smbd_audit[3590850]: hdiaz|192.168.1.67|desktop-8kbottk|DATA HOSD|fget_dos_attributes|ok|/mnt/CATA/DATA HOSD/h
Nov 27 19:18:33 truenas smbd_audit[3590850]: hdiaz|192.168.1.67|desktop-8kbottk|DATA HOSD|get_alloc_size|ok|0
Nov 27 19:18:33 truenas smbd_audit[3590850]: hdiaz|192.168.1.67|desktop-8kbottk|DATA HOSD|close|ok|/mnt/CATA/DATA HOSD/h


Is what it shows me correct? I don't see information that a file was created or deleted...
 

sretalla

Powered by Neutrality
Moderator
Joined
Jan 1, 2016
Messages
9,700
Last edited:

Montttiii

Dabbler
Joined
Oct 26, 2020
Messages
11
You aren't looking very hard...

But if you just aren't seeing what you want, I suggest looking at the samba manpages for full_audit:

Thanks for answering, yes I had realized that, but what I mean is that it does not tell me the name of the folder or file that was created.
Thanks, I'll check the samba man pages for full_audit:

Any questions I hope to have your support.
 
Top