-
Important Announcement for the TrueNAS Community.
The TrueNAS Community has now been moved. This forum has become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums
(Solved) How to Set samba audit?
- Thread starter akong
- Start date
- Joined
- Jan 1, 2016
- Messages
- 9,700
On your share(s), set the Auxiliary parameters to contain:
And under your Services | SMB (edit with the pencil), set the Auxilary Parameters to this:
Personally, I prefer to then use another syslog analysis tool like graylog to look at that, so you may want to redirect your system logs to a platform like that rather than just looking in the logs by yourself:
System | Advanced | Syslog
vfs objects=full_auditAnd under your Services | SMB (edit with the pencil), set the Auxilary Parameters to this:
Code:
full_audit:prefix =%u|%I|%m|%S full_audit:failure =connect full_audit:success =mkdir rmdir write pwrite sendfile rename unlink full_audit:facility =LOCAL5 full_audit:priority =NOTICE
Personally, I prefer to then use another syslog analysis tool like graylog to look at that, so you may want to redirect your system logs to a platform like that rather than just looking in the logs by yourself:
System | Advanced | Syslog
this is what I did for the latest truenas 13 u2
for my individual smb shares
advanced options > in field auxiliary parameters
not entirely sure what to use best for file touch (write / file-create / .. )
fcntl was the one that created the least clutter
all old settings like e.g. unlink caused full_audit to spit out the events unfiltered
settings for the current installed samba visible under
to reload the settings I ran after having set the auxiliary parameters on the individual shares a smb restart
for my individual smb shares
advanced options > in field auxiliary parameters
not entirely sure what to use best for file touch (write / file-create / .. )
fcntl was the one that created the least clutter
all old settings like e.g. unlink caused full_audit to spit out the events unfiltered
settings for the current installed samba visible under
to reload the settings I ran after having set the auxiliary parameters on the individual shares a smb restart
Hello, when performing a tail -f on the following route: tail -f /var/db/system/syslog-3adcc44658cc44c8ad6338539ba7431a/log/messages, it shows me this information:
Nov 27 19:18:33 truenas smbd_audit[3590850]: hdiaz|192.168.1.67|desktop-8kbottk|DATA HOSD|stat|ok|/mnt/CATA/DATA HOSD
Nov 27 19:18:33 truenas smbd_audit[3590850]: hdiaz|192.168.1.67|desktop-8kbottk|DATA HOSD|file_id_create|ok|54:2407:0
Nov 27 19:18:33 truenas smbd_audit[3590850]: hdiaz|192.168.1.67|desktop-8kbottk|DATA HOSD|stat|ok|/mnt/CATA/DATA HOSD/h
Nov 27 19:18:33 truenas smbd_audit[3590850]: hdiaz|192.168.1.67|desktop-8kbottk|DATA HOSD|fgetxattr|ok|/mnt/CATA/DATA HOSD/h|user.DOSATTRIB
Nov 27 19:18:33 truenas smbd_audit[3590850]: hdiaz|192.168.1.67|desktop-8kbottk|DATA HOSD|fget_dos_attributes|ok|/mnt/CATA/DATA HOSD/h
Nov 27 19:18:33 truenas smbd_audit[3590850]: hdiaz|192.168.1.67|desktop-8kbottk|DATA HOSD|get_alloc_size|ok|0
Nov 27 19:18:33 truenas smbd_audit[3590850]: hdiaz|192.168.1.67|desktop-8kbottk|DATA HOSD|close|ok|/mnt/CATA/DATA HOSD/h
Is what it shows me correct? I don't see information that a file was created or deleted...
- Joined
- Jan 1, 2016
- Messages
- 9,700
You aren't looking very hard...
But if you just aren't seeing what you want, I suggest looking at the samba manpages for full_audit:
Last edited:
Thanks for answering, yes I had realized that, but what I mean is that it does not tell me the name of the folder or file that was created.
Thanks, I'll check the samba man pages for full_audit:
Any questions I hope to have your support.
