[TUTORIAL] ADD FULL LOGGING ON SAMBA SHARES (FULL_AUDIT) - FreeNAS <=9.3

Status
Not open for further replies.

lorenzoASR

Dabbler
Joined
Nov 10, 2012
Messages
39
Dear Forum, i want to share my experience about installing a nice Samba extension called full_audit.

Full_Audit permit to log ALL operation on a share, like create file, delete file, change path......

1) Go to Services->CIFS (click)
2) Add those lines in "Auxiliary Parameters" (or something like that, i've in Italian):
full_audit:prefix = %u|%I|%m|%S
full_audit:failure = connect
full_audit:success = mkdir rename unlink rmdir pwrite
full_audit:facility = LOCAL5
full_audit:priority = NOTICE

You can edit those parameters like you prefer! (read http://www.samba.org/samba/docs/man/manpages/vfs_full_audit.8.html)

3) Now go to Sharing->CIFS->Add Shared Element, compile like you want, and click "Advanced Mode" (at the end of the tab), now you can add those lines to "Auxiliary Parameters":
vfs objects = recycle full_audit

END!

Now you will find in the logs of SAMBA all the operation mentioned in "full_audit:success" and "full_audit:failure"

Repeat the STEP3 for each Shared Path that you want to log !

Sorry for english, I hope this will help you !

EDIT:
According to cyberjock, that method add lot of logs and will fill quickly your 10mb logspace. So you have to move to another location the logs:

Here's how to move logs from default location to a custom one:

1) mount with write persmission /
Code:
mount -rw /


2) Edit /conf/base/etc/syslog.conf
You can edit as you prefer the new custom location, in my case is /mnt/storagesata1/....

Code:
# Spaces ARE valid field separators in this file. However,
# other *nix-like systems still insist on using tabs as field
# separators. If you are sharing this file between systems, you
# may want to use only tabs as field separators here.
# Consult the syslog.conf(5) manpage.
*.err;kern.warning;auth.notice;mail.crit /dev/console
#*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err /var/log/messages
local5.=info /mnt/storagesata1/misc/logs/samba/docs.log
local5.=notice /mnt/storagesata1/misc/logs/samba/activity.log
local0.notice;local1.notice;local2.notice;local3.notice /var/log/messages
local4.notice;local6.notice;local7.notice /var/log/messages
security.* /var/log/security
auth.info;authpriv.info /var/log/auth.log
mail.info /var/log/maillog
lpr.info /var/log/lpd-errs
ftp.info /var/log/xferlog
cron.* /var/log/cron
# *.=debug /var/log/debug.log
*.emerg *
# uncomment this to log all writes to /dev/console to /var/log/console.log
#console.info /var/log/console.log
# uncomment this to enable logging of all log messages to /var/log/all.log
# touch /var/log/all.log and chmod it to mode 600 before it will work
#*.* /var/log/all.log
# uncomment this to enable logging to a remote loghost named loghost
#*.* @loghost
# uncomment these if you're running inn
# news.crit /var/log/news/news.crit
# news.err /var/log/news/news.err
# news.notice /var/log/news/news.notice
!ppp
*.* /var/log/ppp.log
!*


You have to modify line 7 adding a # at the start and lines 8-11 inserting level rules
 
Last edited:

cyberjock

Inactive Account
Joined
Mar 25, 2012
Messages
19,526
What exactly does this do? It looks like it just adds a lot of logging. Am I wrong?

If this is all that it does, you'd probably want to find a new place to put the Samba log files. The log space for FreeNAS is only like 10MB. And that's for the system and all resources to share. I'm not sure how you could redirect the log. On a server with even minor use you could probably cycle through all the available space over and over in a short time which might defeat the purpose of the log.
 

lorenzoASR

Dabbler
Joined
Nov 10, 2012
Messages
39
What exactly does this do? It looks like it just adds a lot of logging. Am I wrong?
Exactly, this is for "paranoid" administrator!

If this is all that it does, you'd probably want to find a new place to put the Samba log files. The log space for FreeNAS is only like 10MB. And that's for the system and all resources to share. I'm not sure how you could redirect the log. On a server with even minor use you could probably cycle through all the available space over and over in a short time which might defeat the purpose of the log.
Of course, you have truth, whitout moving logs the system will be full quickly! My solution was using "newsyslog" and "logrotate", redirecting logs to a ZFS Dataset that I created for this scope!

I will paste the procedure to change the log path tomorrow! Thanks for your revision!
 

lorenzoASR

Dabbler
Joined
Nov 10, 2012
Messages
39
Here's how to move logs from default location to a custom one:

1) mount with write persmission /
Code:
mount -rw /


2) Edit /conf/base/etc/syslog.conf and add the chars in RED!
You can edit as you prefer the new custom location, in my case is /mnt/storagesata1/....

Code:
# Spaces ARE valid field separators in this file. However,
# other *nix-like systems still insist on using tabs as field
# separators. If you are sharing this file between systems, you
# may want to use only tabs as field separators here.
# Consult the syslog.conf(5) manpage.
*.err;kern.warning;auth.notice;mail.crit /dev/console
#*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err /var/log/messages 
local5.=info /mnt/storagesata1/misc/logs/samba/docs.log
local5.=notice /mnt/storagesata1/misc/logs/samba/activity.log
local0.notice;local1.notice;local2.notice;local3.notice /var/log/messages
local4.notice;local6.notice;local7.notice /var/log/messages
security.* /var/log/security
auth.info;authpriv.info /var/log/auth.log
mail.info /var/log/maillog
lpr.info /var/log/lpd-errs
ftp.info /var/log/xferlog
cron.* /var/log/cron
# *.=debug /var/log/debug.log
*.emerg *
# uncomment this to log all writes to /dev/console to /var/log/console.log
#console.info /var/log/console.log
# uncomment this to enable logging of all log messages to /var/log/all.log
# touch /var/log/all.log and chmod it to mode 600 before it will work
#*.* /var/log/all.log
# uncomment this to enable logging to a remote loghost named loghost
#*.* @loghost
# uncomment these if you're running inn
# news.crit /var/log/news/news.crit
# news.err /var/log/news/news.err
# news.notice /var/log/news/news.notice
!ppp
*.* /var/log/ppp.log
!*


You have to modify line 7 adding a # at the start and lines 8-11 inserting level rules
 

marian78

Patron
Joined
Jun 30, 2011
Messages
210
hi,

i try "mount -rw /" on freenas 9.3 and get "mount: /: unknown special file or file system".......

EDIT: not loging... Is full_audit still work on freenas 9.3?

EDIT2: for move samba logs to the dataset i set service CIFS, auxiliary section: "log file = /mnt/yourdataset/logs/samba/%m.log"
 
Last edited:

Bidule0hm

Server Electronics Sorcerer
Joined
Aug 5, 2013
Messages
3,710
You don't need to remount the filesystem on the 9.3 version, it's only for the 9.2.* and older ;)
 

marian78

Patron
Joined
Jun 30, 2011
Messages
210
thx, sir. :)
 

marian78

Patron
Joined
Jun 30, 2011
Messages
210
im on dead end... cant get it log to dataset like /mnt/datasetname/log

1. add to CIFS service Auxiliary parameters:
Code:
log file = /mnt/volume0/logs/samba/%m.log
full_audit:prefix = %u|%I|%S
full_audit:failure = connect
full_audit:success = connect disconnect opendir mkdir rmdir closedir open close read pread write pwrite sendfile rename unlink chmod fchmod chown fchown chdir ftruncate lock symlink readlink link mknod realpath
full_audit:facility = local5
full_audit:priority = notice


2. add to all sharing-windows share (CIFS):
Code:
vfs object = full_audit


3. edit syslog.conf (at /conf/base/etc/)
Code:
#
#    Spaces ARE valid field separators in this file. However,
#    other *nix-like systems still insist on using tabs as field
#    separators. If you are sharing this file between systems, you
#    may want to use only tabs as field separators here.
#    Consult the syslog.conf(5) manpage.
*.err;kern.warning;auth.notice;mail.crit        /dev/console
#*.notice;
authpriv.none;kern.debug;lpr.info;mail.crit;news.err    /var/log/messages
local5.notice                     /mnt/volume0/logs/samba/samba_docs.log
local5.info                     /mnt/volume0/logs/samba/samba_activity.log
local0.notice;local1.notice;local2.notice;local3.notice /var/log/messages
local4.notice;local6.notice;local7.notice /var/log/messages
security.*                    /var/log/security
auth.info;authpriv.info                /var/log/auth.log
mail.info                    /var/log/maillog
lpr.info                    /var/log/lpd-errs
ftp.*                        /var/log/xferlog
cron.*                        /var/log/cron
*.=debug                    /var/log/debug.log
*.emerg                        *
# uncomment this to log all writes to /dev/console to /var/log/console.log
#console.info                    /var/log/console.log
# uncomment this to enable logging of all log messages to /var/log/all.log
# touch /var/log/all.log and chmod it to mode 600 before it will work
*.*                        /mnt/volume0/logs/syslog_all.log
# uncomment this to enable logging to a remote loghost named loghost
#*.*                        @loghost
# uncomment these if you're running inn
# news.crit                    /var/log/news/news.crit
# news.err                    /var/log/news/news.err
# news.notice                    /var/log/news/news.notice
!ppp
*.*                        /var/log/ppp.log
!*


PS: my system is freenas 9.3 stable
 

Isaias

Dabbler
Joined
Nov 6, 2014
Messages
11
Freenas 9.3 uses syslog-ng. To change the path of the logs need to edit the file "/etc/local/syslog-ng.conf " and to be permanent you must edit the file " /conf/base/etc/local/syslog-ng.conf.freenas". I added the following lines and I've gotten it to work .

destination m_samba_audit { file("/var/log/samba4/activity.log"); };
log { source(src); filter(f_local5);destination(m_samba_audit); flags(final); };

You must restart the service syslog-ng:

service syslog-ng restart

Regards.
 

marian78

Patron
Joined
Jun 30, 2011
Messages
210
thx for reply, i will try. :)


EDIT: YES, YES, it works, thx sir. :) :) :) :), TWO BIG beers and one (or two :) ) sexi lady for you.....
 
Last edited:

marian78

Patron
Joined
Jun 30, 2011
Messages
210
hi,

i dont know how to setup log rotate, then i decide wrote small script and run in cron every hour.

It check log file size and if it is greater than size set in script, than move it to backup location - "/mnt/yourdataset/yourfolder/folder with current date" + rename file with current time and date. Next create new empty log and restart service.

Code:
#!/bin/sh
### parameters ###
samba_activity="/mnt/volume0/logs/samba/samba_activity.log"
now=$(date +"_%H%M%S_%d_%m_%Y")
date=$(date +"%d_%m_%Y")
archivfolder="/mnt/volume0/logs/samba/archiv/$date"
archivfile="samba_activity_$now.log"
### max size is in MiB ###
max_size=64

### run only if log is greater than max_size ###
max_size=$((max_size*1024*1024))
if [ $(ls -l $samba_activity | awk '{print $5}') -gt $max_size ]; then
    ### create archiv folder if not exist
    if [ ! -d "$archivfolder" ]; then
        mkdir $archivfolder
    fi

    ### backup and create samba activity log ###
    cp $samba_activity "$archivfolder/$archivfile"
    ### stop log service ###
    service syslog-ng stop
    rm $samba_activity
    echo "new log from $now" > $samba_activity

    ### again start log service ###
    service syslog-ng start
fi
 

Isaias

Dabbler
Joined
Nov 6, 2014
Messages
11
Hi. To setup logrotate you have to edit the file "/etc/newsyslog.conf", and add for example the following line:

/var/log/samba4/activity.log 640 720 * @T00 JC

This setup saves the logs for 2 years and rotates them every day at 00:00 hours.

For these changes be permanent you have to edit the file "/conf/base/etc/newsyslog.conf".

Regards.
 

marian78

Patron
Joined
Jun 30, 2011
Messages
210
thx sir, i will try.
 

Mattia3rd

Explorer
Joined
May 13, 2014
Messages
52
Hi,
I've a freenas 9.3 and i've followed your advices.

I've modified the /conf/base/etc/syslog.conf and added the lines above (with my own path)
Furthermore I've added the auxiliarity parameter
log file = /mnt/Vol01/log/samba/%m.log
to the cifs services.

I cannot see the activity.log and docs.logs
I've try to access the cifs shares but nothing happened

What could be the problem? Why the log file aren't there?
 

Mattia3rd

Explorer
Joined
May 13, 2014
Messages
52
Did you make it logging?


im on dead end... cant get it log to dataset like /mnt/datasetname/log

1. add to CIFS service Auxiliary parameters:
Code:
log file = /mnt/volume0/logs/samba/%m.log
full_audit:prefix = %u|%I|%S
full_audit:failure = connect
full_audit:success = connect disconnect opendir mkdir rmdir closedir open close read pread write pwrite sendfile rename unlink chmod fchmod chown fchown chdir ftruncate lock symlink readlink link mknod realpath
full_audit:facility = local5
full_audit:priority = notice


2. add to all sharing-windows share (CIFS):
Code:
vfs object = full_audit


3. edit syslog.conf (at /conf/base/etc/)
Code:
#
#    Spaces ARE valid field separators in this file. However,
#    other *nix-like systems still insist on using tabs as field
#    separators. If you are sharing this file between systems, you
#    may want to use only tabs as field separators here.
#    Consult the syslog.conf(5) manpage.
*.err;kern.warning;auth.notice;mail.crit        /dev/console
#*.notice;
authpriv.none;kern.debug;lpr.info;mail.crit;news.err    /var/log/messages
local5.notice                     /mnt/volume0/logs/samba/samba_docs.log
local5.info                     /mnt/volume0/logs/samba/samba_activity.log
local0.notice;local1.notice;local2.notice;local3.notice /var/log/messages
local4.notice;local6.notice;local7.notice /var/log/messages
security.*                    /var/log/security
auth.info;authpriv.info                /var/log/auth.log
mail.info                    /var/log/maillog
lpr.info                    /var/log/lpd-errs
ftp.*                        /var/log/xferlog
cron.*                        /var/log/cron
*.=debug                    /var/log/debug.log
*.emerg                        *
# uncomment this to log all writes to /dev/console to /var/log/console.log
#console.info                    /var/log/console.log
# uncomment this to enable logging of all log messages to /var/log/all.log
# touch /var/log/all.log and chmod it to mode 600 before it will work
*.*                        /mnt/volume0/logs/syslog_all.log
# uncomment this to enable logging to a remote loghost named loghost
#*.*                        @loghost
# uncomment these if you're running inn
# news.crit                    /var/log/news/news.crit
# news.err                    /var/log/news/news.err
# news.notice                    /var/log/news/news.notice
!ppp
*.*                        /var/log/ppp.log
!*


PS: my system is freenas 9.3 stable
 

long ha

Cadet
Joined
Nov 14, 2016
Messages
4
Can you instruct me how to apply this tutorial for version >9.3. I'm using version 9.10.
Thanks alot.
 

Isaias

Dabbler
Joined
Nov 6, 2014
Messages
11
Hi long ha.

1. Edit the file "/conf/base/etc/local/syslog-ng.conf.freenas" and add:

Code:
destination m_samba_audit { file("/var/log/samba4/activity.log"); };
log { source(src); filter(f_local5);destination(m_samba_audit); flags(final); };


And you restart the service syslog-ng:

service syslog-ng restart


2. Add the following lines in aux parameters in cifs service:

Code:
full_audit:prefix = %u|%I|%m|%S
full_audit:failure = none
full_audit:success = rename unlink rmdir mkdir write pwrite link
full_audit:facility = LOCAL5
full_audit:priority = NOTICE


3. Add in Samba sharing the "full_audit" in VFS Objects

4. For the logs rotation add in “/conf/base/etc/newsyslog.conf”(Example to keep logs for two years):
Code:
/var/log/samba4/activity.log 640 720 * @T00 JC


Now you can see the logs auditing in "/var/log/samba4/activity.log".

Regards.
 

long ha

Cadet
Joined
Nov 14, 2016
Messages
4
Hi,

Thanks alot for your response. But I don't know I will configure follow you instruction only or combine with Tutorial step 1,2,3 at the begin of this Thread.
When I follow your newest instruct only syslog-ng restart OK but when I check activity.log it just an empty file although I've tried to add file, delete and edit file.
When I compile with step 1,2,3 of this Tutorial when I restart syslog-ng service it's indicate that something to old and couldn't start.

Regards
 

Isaias

Dabbler
Joined
Nov 6, 2014
Messages
11
Hi,
Following steps 1,2 and 3 works perfectly in freenas 9.10. To work without restarting the server, you have to edit the file "/etc/local/syslog-ng.conf" and restart the syslog-ng service again. Example:

Nov 15 11:57:09 freenas1 smbd_audit: DOMAIN\isaias.aranda|192.168.25.89|192.168.25.89|imagenes|mkdir|ok|Nueva carpeta
Nov 15 11:57:12 freenas1 smbd_audit: DOMAIN\isaias.aranda|192.168.25.89|192.168.25.89|imagenes|rmdir|ok|Nueva carpeta

Regards.
 

long ha

Cadet
Joined
Nov 14, 2016
Messages
4
Hi,
Following steps 1,2 and 3 works perfectly in freenas 9.10. To work without restarting the server, you have to edit the file "/etc/local/syslog-ng.conf" and restart the syslog-ng service again. Example:

Nov 15 11:57:09 freenas1 smbd_audit: DOMAIN\isaias.aranda|192.168.25.89|192.168.25.89|imagenes|mkdir|ok|Nueva carpeta
Nov 15 11:57:12 freenas1 smbd_audit: DOMAIN\isaias.aranda|192.168.25.89|192.168.25.89|imagenes|rmdir|ok|Nueva carpeta

Regards.

Hi Isaias,

I've successfully audit Samba with your instruction.
Now I'm going to fress reinstall freenas and configure one more time for making sure.
Once a gain thank you very much for your support.

Best regards
 
Status
Not open for further replies.
Top