File Access logging

How can I enable a logging for file access for the Samba users?
So I can see, wehich user has opened or changed a file?



Yes, that is possible, on a share-by-share basis even. You’ll have to enable the audit VFS module for the share. This can be done from the Univention Management Console. Navigate to “Domain” → “Shares” and edit the corresponding share.

Next go to the “Samba” tab and there enter full_audit in the “VFS objects” input. Save the share, wait a couple of seconds, and try accessing files. You should now find lines such as the following one in the syslog log file of the server that offers the share:

Aug 15 11:26:04 kyushu smbd_audit: IP=|USER=mbunkus|MACHINE=10_199_92_47|VOLUME=daten|pwrite|ok|software/ISOs/grml.iso

Kind regards,

Hey, have done like desrciped but there is no log entry in /var/log/syslog for this.

using UCS 4.2-3 errata315


After update to UCS 4.3.0 I have now log entries.


Is it possible to change the log location for logging “smbd_audit” events?
I would like to use a central logging server.

So basicly: weher can I change the Audit settings on UCS server?

# Audit settings
full_audit:prefix = %u|%I|%S
full_audit:failure = connect
full_audit:success = connect disconnect opendir mkdir rmdir closedir open close read pread write pwrite sendfile rename unlink chmod
fchmod chown fchown chdir ftruncate lock symlink readlink link mknod realpath
full_audit:facility = local5
full_audit:priority = notice

Thanks for support.


you can add arbitrary smb.conf options for each share directly in the Univention Management Console. Log in, navigate to the share you need to change the settings for, edit it, go to the [Advanced Settings] tab and expand the Samba custom settings section. Here you can add e.g. full_audit:prefix as a key and %u|%I|%S as a value. Add as many pairs as you need.

Kind regards,

Great stuff, everything is working well now. Thanks a lot.

Great! You’re quite welcome.

I have followed Moritz_Bunkus’ process/config but I can’t find the file in which the data is logged. I looked into the syslog of our UCS server but it’s nowhere to be found.

Can someone help.