The audit can be tweaked to ignore the read/access and just logs the write/update ?
Note # 1:
I forgot this: The shared folders are “read only” for all the users except for the administrator group (so there is a potential big problem with samba audit + logs + antivirus)
Because our antivirus seems to kill our NS server, it hits each file (scan) and the audit grows on thousands of records in a few days. Worse, there are none of the user files for daily work, yet.
So, I’m tweaking the AV to ignore the shares, but I still see some access on the “SambaStatus - locked files”. Need to check the filters again.
– -- Edit # 2