Friday, November 9, 2012

samba access log

first configure samba server and create samba share directory and samba users.

Now open the file /etc/samba/smb.conf

find the [global] and add below lines

# Audit settings
full_audit:prefix = %u|%I|%S
full_audit:failure = connect
full_audit:success = connect disconnect opendir mkdir rmdir closedir open close read pread write pwrite sendfile rename unlink chmod
fchmod chown fchown chdir ftruncate lock symlink readlink link mknod realpath
full_audit:facility = local7
full_audit:priority = notice

after adding lines, i have created samba user 'test',find [test] in smb.conf and add below lines:


    vfs objects = full_audit
    full_audit:prefix = %u|%I|%m|%s   
    full_audit:success = mkdir rename unlink rmdir open pwrite   
    full_audit:failure = none


now save the file smb.conf and open file /etc/syslog.conf and add below lines at the end of the file

filter f_local5 {facility(local7);};
destination m_samba_audit { file("/var/log/samba/audit.log"); };
log { source(src); filter(f_local7);destination(m_samba_audit); flags(final); };

and save it.

now restart the services:

/etc/init.d/smb restart
/etc/init.d/syslog restart

Now access samba directory from client machine and make some changes in that directory like creating new directory,change the name of directory etc.

after doing this open the file /var/log/samba/log.audit
it will contain all the activity logs done by the user with username, ip address of client machine and what activities user has done.



[NOTE]

if you don'f find /var/log/samba/log.audit file than once create a log.audit file manually.


samba logs,samba,samba access,samba access logs

No comments:

Post a Comment