To add auditing you could customize the samba app, see also Recycle Bin Samba NS8 - #31 by mrmarkuz
I tried the options from NS7 but they don’t work anymore as vfs_full_audit has changed.
I needed to set full_audit:syslog to false to get the audit logs on the log page.
Enter samba app environment: (in my case samba1)
runagent -m samba1
Open include.conf in nano
podman unshare nano $(podman volume inspect config --format={{.Mountpoint}})/include.conf
and add the following content:
full_audit:success = chdir fdopendir lchown mkdirat openat renameat
full_audit:failure = chdir fdopendir lchown mkdirat openat renameat
full_audit:facility = LOCAL7
full_audit:priority = ALERT
full_audit:syslog = false
Enable auditing for a specific share: (in this example testfolder, the share needs to exist)
podman exec samba-dc net conf setparm testfolder "vfs objects" "dfs_samba4 acl_xattr full_audit"
Restart the samba-dc to apply the changes:
systemctl --user restart samba-dc
Exit the environment:
exit
Watch the log page when browsing a share and you should see the log entries.
There’s room for improvement as regards the success and failure list. It’s also possible to use “all” but that will produce too many log entries IMO.