Samba Audit Logging

Support
1

NethServer Version: 8
Module: samba

Hi everyone! Here I am again. I’ve been trying for weeks to configure Audit Logging in Samba. I enabled Audit Logging on the desired shared folder, enabled Grafana, and went to Samba Audit search, but the log is quite confusing.

Is there any application I can use to process this data generated by Samba?

2

There’s no need to configure samba auditing manually as it’s provided in the Samba file server now, see Samba file server — NS8 documentation

What exactly is confusing in the logs? Could you please share an example and explain what you don’t like and how it should be?

Maybe the log can be filtered in a way it’s not that “polluted”…

3

Hi @mrmarkuz thanks for your reply!!

I read the documentation and enabled the auditing option. The log is sent to Grafana normally. The log generates many lines for just one action.

For example, when I delete a file, 3 to 6 lines of log are generated, all with create_file (file|open|0xOPERATION_CODE). I know this is normal, since the deletion process involves several steps… But is there any way to simplify it to something simpler, or some third-party application?

Example:

Currently
datetime | share | path | username | IP | operation
2025-12-23 14:37:03 | TEST | /DirName | LAB\Administrator | 123.456.789 | create_file (file|open|0x100081) | (…)

“Simplified”
datetime | share | path | username | IP | Action
2025-12-23 14:37:03 | TEST | FileTest.txt | LAB\Administrator | 123.456.789 | Deleted

My goal is to generate an email notification when a user deletes a file from a Share; I don’t know if this is possible using this auditing method.

1 Like
4

I think the “unlinkat” operation could be used to filter deleted files:

grafik
grafik2704×813 205 KB

Next step would be to create an alert rule for the unlink operation in a way that we don’t get spammed when a user deletes a lot of files.