first configure samba server and create samba share directory and samba users.
Now open the file /etc/samba/smb.conf
find the [global] and add below lines
# Audit settings
full_audit:prefix = %u|%I|%S
full_audit:failure = connect
full_audit:success = connect disconnect opendir mkdir rmdir closedir open close read pread write pwrite sendfile rename unlink chmod
fchmod chown fchown chdir ftruncate lock symlink readlink link mknod realpath
full_audit:facility = local7
full_audit:priority = notice
after adding lines, i have created samba user 'test',find [test] in smb.conf and add below lines:
vfs objects = full_audit
full_audit:prefix = %u|%I|%m|%s
full_audit:success = mkdir rename unlink rmdir open pwrite
full_audit:failure = none
now save the file smb.conf and open file /etc/syslog.conf and add below lines at the end of the file
filter f_local5 {facility(local7);};
destination m_samba_audit { file("/var/log/samba/audit.log"); };
log { source(src); filter(f_local7);destination(m_samba_audit); flags(final); };
and save it.
now restart the services:
/etc/init.d/smb restart
/etc/init.d/syslog restart
Now access samba directory from client machine and make some changes in that directory like creating new directory,change the name of directory etc.
after doing this open the file /var/log/samba/log.audit
it will contain all the activity logs done by the user with username, ip address of client machine and what activities user has done.
[NOTE]
if you don'f find /var/log/samba/log.audit file than once create a log.audit file manually.
samba logs,samba,samba access,samba access logs
Now open the file /etc/samba/smb.conf
find the [global] and add below lines
# Audit settings
full_audit:prefix = %u|%I|%S
full_audit:failure = connect
full_audit:success = connect disconnect opendir mkdir rmdir closedir open close read pread write pwrite sendfile rename unlink chmod
fchmod chown fchown chdir ftruncate lock symlink readlink link mknod realpath
full_audit:facility = local7
full_audit:priority = notice
after adding lines, i have created samba user 'test',find [test] in smb.conf and add below lines:
vfs objects = full_audit
full_audit:prefix = %u|%I|%m|%s
full_audit:success = mkdir rename unlink rmdir open pwrite
full_audit:failure = none
now save the file smb.conf and open file /etc/syslog.conf and add below lines at the end of the file
filter f_local5 {facility(local7);};
destination m_samba_audit { file("/var/log/samba/audit.log"); };
log { source(src); filter(f_local7);destination(m_samba_audit); flags(final); };
and save it.
now restart the services:
/etc/init.d/smb restart
/etc/init.d/syslog restart
Now access samba directory from client machine and make some changes in that directory like creating new directory,change the name of directory etc.
after doing this open the file /var/log/samba/log.audit
it will contain all the activity logs done by the user with username, ip address of client machine and what activities user has done.
[NOTE]
if you don'f find /var/log/samba/log.audit file than once create a log.audit file manually.
No comments:
Post a Comment