Trouble with vfs full audit logging

Status
Not open for further replies.

ptendolk

Cadet
Joined
Feb 6, 2018
Messages
2
Problem

One of the users can't access files on the server after I added samba logging with full_audit. She would click on a file through Active Directory, and immediately be disconnected. After reverting my changes for the auditing, there was no problem.

My FreeNAS Version

When I type 'cat /etc/motd':

Code:
FreeBSD 10.3-STABLE (FreeNAS.amd64) #0 1a8180b(9.10-STABLE): Tue Jun  7 13:16:10 PDT 2016


What I Changed for Full Audit

We have small group of users (8-9) that access the server through CIFS active directory, set up on computers with windows 7. Today I introduced logging to track user access to files following the suggestions shown here. I editted the /conf/base/etc/local/syslog-ng.conf.freenas and the /etc/local/syslog-ng.conf files with the following line:

Code:
destination m_samba_audit { file("/mnt/Sigma/Omega/UserLogs/activity.log"); };
log { source(src); filter(f_local5);destination(m_samba_audit); flags(final); };


The only difference between what I did and what was suggested in the link was the file path so that users could access the log through AD. I also changed the /conf/base/etc/newsyslog.conf file, with the same file path.

After making these changes, I restarted the syslog-ng service, and the logging started.

Troubleshooting
FYI, from my computer it works fine, I access a file, it logs the access. I tried accessing the same files from my PC and was successful.

This is what the /var/log/messages entries are at the time the user tried to access files:
Code:
Mar 13 15:11:20 Sigma kernel: pid 46182 (smbd), uid 0: exited on signal 6 (core dumped)
Mar 13 15:11:20 Sigma kernel: pid 21437 (smbd), uid 0: exited on signal 6 (core dumped)
Mar 13 15:11:55 Sigma kernel: pid 21451 (smbd), uid 0: exited on signal 6 (core dumped)
Mar 13 15:11:55 Sigma kernel: pid 21481 (smbd), uid 0: exited on signal 6 (core dumped)
Mar 13 15:14:25 Sigma kernel: pid 21625 (smbd), uid 0: exited on signal 6 (core dumped)
Mar 13 15:14:25 Sigma kernel: pid 21676 (smbd), uid 0: exited on signal 6 (core dumped)
Mar 13 15:17:45 Sigma kernel: pid 21763 (smbd), uid 0: exited on signal 6 (core dumped)
Mar 13 15:17:45 Sigma kernel: pid 21900 (smbd), uid 0: exited on signal 6 (core dumped)
Mar 13 15:32:23 Sigma kernel: pid 21914 (smbd), uid 0: exited on signal 6 (core dumped)
Mar 13 15:32:23 Sigma kernel: pid 22828 (smbd), uid 0: exited on signal 6 (core dumped)
Mar 13 15:46:05 Sigma kernel: pid 22905 (smbd), uid 0: exited on signal 6 (core dumped)
Mar 13 15:46:06 Sigma kernel: pid 23697 (smbd), uid 0: exited on signal 6 (core dumped)
Mar 13 15:48:00 Sigma kernel: pid 23771 (smbd), uid 0: exited on signal 6 (core dumped)
Mar 13 15:48:00 Sigma kernel: pid 23831 (smbd), uid 0: exited on signal 6 (core dumped)
Mar 13 15:48:00 Sigma kernel: pid 23848 (smbd), uid 0: exited on signal 6 (core dumped)
Mar 13 15:48:00 Sigma kernel: pid 23861 (smbd), uid 0: exited on signal 6 (core dumped)
Mar 13 15:48:22 Sigma kernel: pid 23876 (smbd), uid 0: exited on signal 6 (core dumped)
Mar 13 15:48:22 Sigma kernel: pid 23904 (smbd), uid 0: exited on signal 6 (core dumped)


Are these the disconnects I mentioned earlier? Is there any more information here that could pinpoint the source of this user's problem? These messages are then followed by smbd_audit messages of me successfully accessing the files.

What can I do on the client end to troubleshoot this?

This was an inherited setup, I have no prior experience with server maintenance, please forgive my ignorance. We want to track user activity because folders appear to be missing/deleted and would like to know who the last user to access the file was.
 

ptendolk

Cadet
Joined
Feb 6, 2018
Messages
2
Were you able to figure this out?
I have not got a chance to as the colleague and I could not work out a time where we can reproduce the issue. I plan on enabling full debug logging and have her try to access the files then.
 
Status
Not open for further replies.
Top