File Access logging

digidax · August 14, 2017, 4:54am

Hi,
How can I enable a logging for file access for the Samba users?
So I can see, wehich user has opened or changed a file?

Thanks,
Frank

Moritz_Bunkus · August 15, 2017, 9:37am

Hey,

Yes, that is possible, on a share-by-share basis even. You’ll have to enable the audit VFS module for the share. This can be done from the Univention Management Console. Navigate to “Domain” → “Shares” and edit the corresponding share.

Next go to the “Samba” tab and there enter full_audit in the “VFS objects” input. Save the share, wait a couple of seconds, and try accessing files. You should now find lines such as the following one in the syslog log file of the server that offers the share:

Aug 15 11:26:04 kyushu smbd_audit: IP=10.199.92.47|USER=mbunkus|MACHINE=10_199_92_47|VOLUME=daten|pwrite|ok|software/ISOs/grml.iso

Kind regards,
mosu

digidax · May 3, 2018, 1:16pm

Hey, have done like desrciped but there is no log entry in /var/log/syslog for this.

using UCS 4.2-3 errata315

thanks.

digidax · May 4, 2018, 5:37am

After update to UCS 4.3.0 I have now log entries.

Thanks.

digidax · May 4, 2018, 5:44am

Is it possible to change the log location for logging “smbd_audit” events?
I would like to use a central logging server.

So basicly: weher can I change the Audit settings on UCS server?

# Audit settings
full_audit:prefix = %u|%I|%S
full_audit:failure = connect
full_audit:success = connect disconnect opendir mkdir rmdir closedir open close read pread write pwrite sendfile rename unlink chmod
fchmod chown fchown chdir ftruncate lock symlink readlink link mknod realpath
full_audit:facility = local5
full_audit:priority = notice

Thanks for support.

Moritz_Bunkus · May 14, 2018, 8:16am

Hey,

you can add arbitrary smb.conf options for each share directly in the Univention Management Console. Log in, navigate to the share you need to change the settings for, edit it, go to the [Advanced Settings] tab and expand the Samba custom settings section. Here you can add e.g. full_audit:prefix as a key and %u|%I|%S as a value. Add as many pairs as you need.

Kind regards,
mosu

digidax · May 14, 2018, 9:32am

Great stuff, everything is working well now. Thanks a lot.

Moritz_Bunkus · May 14, 2018, 10:27am

Great! You’re quite welcome.

DavidPellerin · March 27, 2021, 9:27pm

I have followed Moritz_Bunkus’ process/config but I can’t find the file in which the data is logged. I looked into the syslog of our UCS server but it’s nowhere to be found.

Can someone help.