Hi guys
I am trying to log full_audit on my samba shares so I know who is creating, deleting, renaming, moving etc. files and directories in the samba/windows share.
In my
etc/samba/smb.conf
file, under [global] I have:
# Audit settings
full_audit: prefix = %u|%I|%S
full_audit:failure = connect
full_audit:success = connect disconnect opendir mkdir rmdir closedir open close read pread write pwrite sendfile rename unlink chmodfchmod chown fchown chdir ftruncate lock symlink readlink link mknod realpath
full_audit:facility = local5
full_audit: priority = notice
And under my [file share name] I have:
vfs object = full_audit
I created a new file in
etc/rsyslog.d
called
00-samba-audit.conf
with these two lines in:
local5.notice /var/log/samba/audit.log
&~
And in the file
/etc/rsyslog.d/50-default.conf
I changed the following line:
*.*;auth,authpriv.none -/var/log/syslog
to read:
*.*;local5,auth,authpriv.none -/var/log/syslog
with this below it:
local5.notice /var/log/samba/audit.log
I then restarted samba and rsyslog. (This all comes from this web page: Samba - file audit log with full_audit | a32.me ) It creates the audit.log file in my /var/log/samba/ directory but nothing else happens; it remains empty.
What am I doing wrong?!
I would be really great if someone could help me to audit my windows/samba share so I know who is creating, moving, deleting, renaming files etc.
Thanks!
------------edit---------------------
Moderator please close this thread, it's solved long back, it was permission issue, and sorry today I am informing.