Samba share and file access logging

NethServer Version: 6.8 and 7
Module: logging

I’m having trouble with this. I discovered that in testing ns7 I couldn’t find any file access logging.
I installed samba-audit, but even after accessing share files to create logs, I can find no logging, not from samba-audit or from searching the logs from the gui, or at shell for the unique file name accessed. I looked at my 6.8 installs, installed samba-audit in one of them, which is quite busy, and I can find no logging, anywhere.

I can only find one page about samba-audit in the dev docs.

What am I missing here?

AFAIK, samba-audit logs are in /var/log/messages.
The web UI scans the log file to produce reports.

Not here in 6.8.

this is /messages you can see me initiating the reload action from the samba-audit gui page but not the edit of a uniquely named txt file.

Oct 18 14:58:06 server7b logger: Rotating smbaudit logs 0 Oct 18 14:58:20 server7b logger: Rotating smbaudit logs 0 Oct 18 14:58:20 server7b sshd[16623]: Did not receive identification string from 192.168.124.107 Oct 18 14:58:23 server7b logger: Rotating smbaudit logs 0 Oct 18 14:59:32 server7b logger: Rotating smbaudit logs 0 Oct 18 14:59:41 server7b logger: Rotating smbaudit logs 0 Oct 18 15:00:08 server7b logger: Rotating smbaudit logs 0 Oct 18 15:03:10 server7b smbd[16680]: [2016/10/18 15:03:10.216770, 0] printing/print_cups.c:151(cups_connect) Oct 18 15:03:10 server7b smbd[16680]: Unable to connect to CUPS server localhost:631 - Connection refused Oct 18 15:03:10 server7b smbd[2329]: [2016/10/18 15:03:10.229434, 0] printing/print_cups.c:528(cups_async_callback) Oct 18 15:03:10 server7b smbd[2329]: failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL Oct 18 15:06:35 server7b sshd[16692]: Accepted password for root from 192.168.124.126 port 54803 ssh2 Oct 18 15:16:10 server7b smbd[16747]: [2016/10/18 15:16:10.748625, 0] printing/print_cups.c:151(cups_connect) Oct 18 15:16:10 server7b smbd[16747]: Unable to connect to CUPS server localhost:631 - Connection refused Oct 18 15:16:10 server7b smbd[2329]: [2016/10/18 15:16:10.748988, 0] printing/print_cups.c:528(cups_async_callback) Oct 18 15:16:10 server7b smbd[2329]: failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL Oct 18 15:29:11 server7b smbd[17225]: [2016/10/18 15:29:11.449404, 0] printing/print_cups.c:151(cups_connect) Oct 18 15:29:11 server7b smbd[17225]: Unable to connect to CUPS server localhost:631 - Connection refused Oct 18 15:29:11 server7b smbd[2329]: [2016/10/18 15:29:11.456000, 0] printing/print_cups.c:528(cups_async_callback) Oct 18 15:29:11 server7b smbd[2329]: failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL Oct 18 15:42:12 server7b smbd[17833]: [2016/10/18 15:42:12.081606, 0] printing/print_cups.c:151(cups_connect) Oct 18 15:42:12 server7b smbd[17833]: Unable to connect to CUPS server localhost:631 - Connection refused Oct 18 15:42:12 server7b smbd[2329]: [2016/10/18 15:42:12.170144, 0] printing/print_cups.c:528(cups_async_callback) Oct 18 15:42:12 server7b smbd[2329]: failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL Oct 18 15:42:13 server7b logger: Rotating smbaudit logs 0 Oct 18 15:42:14 server7b logger: Rotating smbaudit logs 0 Oct 18 15:42:26 server7b logger: Rotating smbaudit logs 0 Oct 18 15:42:46 server7b logger: Rotating smbaudit logs 0

Hi @fasttech ,

I didn’t have issues with Samba audit on NS 7b2 (test machine).
The only thing that I’ve made was to reboot the NS after I’ve installed Samba audit module.

Samba audit NS7b2.PNG1277×921 112 KB

That’s pretty. Do you know where those logs are in the file system for 6.8 or 7?
I’ve rebooted v7 post install of samba-audit, but there should have been logs somewhere even before I installed samba-audit. Is there a change to logging verbosity in samba config when samba-audit is installed?

For NS 7b2 (not in Administration → Log viewer):

Samba audit log.PNG956×630 46 KB

Samba audit cfg.PNG946×615 31.7 KB

What do you mean, smbaudit.log is there in 6.8 and 7, just empty.

here’s my 6.8 install, not rebooted since samba-audit install, (production), empty logs.

You’re right!
I have looked for “samba” not “smb”!

I’m old and blind!

Admin - Samba log files.PNG1261×694 95.9 KB

Did you create a shared folder and tried to access it from network?

Dude, it’s production, there’s a dozen people in there now.

Here’s my 7 install, post reboot since samba-audit install, empty logs.

WTH? I’m cursed.

I really don’t know!

**_EDIT:_**
Maybe something went wrong during Samba audit module installation

Here is my smb.conf:

# 

[global]
#
# 10base
#
workgroup = TEST
server string = NethServer 7.2.1511 beta2 (Samba %v)
security = ADS
realm = TEST.ABT.RO
kerberos method = secrets and keytab
netbios name = PDC-AD


[global]

# log files split per-machine:
log file = /var/log/samba/log.%m
# maximum size of 50KB per log file, then rotate:
max log size = 50

# Only bind to allowed NIC's
bind interfaces only = yes
interfaces = 127.0.0.1 192.168.1.0/24
hosts allow = 127.0.0.1 192.168.1.0/255.255.255.0

# Idle time before disconnecting the client
deadtime = 10080

# Alias NETBIOS names, used to provide access to Samba via multiple hostnames

netbios aliases = 

; WINS setup (other server)
wins server = 
remote announce = 
remote browse sync = 

; Guest access (#1882). Shares must be guest-ok, to allow it.
map to guest = Bad User

; create home dirs if missing (#5090)
obey pam restrictions = yes
# SambaAudit configuration
full_audit:prefix = smbauditlog|%T|%u|%I|%S|%U
full_audit:success = read write open unlink mkdir rmdir rename chmod 
full_audit:failure = read write open unlink mkdir rmdir rename chmod  
full_audit:facility = LOCAL7
full_audit:priority = INFO

;
; Home directories
;
[homes]
comment = Home directories
browseable = no
writable = yes
create mode = 0660
force create mode = 0660
directory mode = 0770
force directory mode = 0770

;
; Added to support printer drivers download
; This share is writable according to Unix file permissions
;
[print$]
comment = Printer drivers
path = /var/lib/nethserver/print_driver
guest ok = yes
browseable = yes
writable = no


#
# 10base -- ibay storage_1 definition. 
#           Required profile is ""
#           Applied profile is "default"
#
[storage_1]
path = /var/lib/nethserver/ibay/storage_1
comment = storage_1
# 20profile_default:
read only            = no
inherit permissions  = yes
; Add group write bit to default create mask, remove DOS archive bit (see below) #2039
create mask          = 0664 
inherit owner        = yes
; Use extended attribute to store DOS attributes (see man page)
store dos attributes = yes  
map archive          = no
map readonly         = no
inherit acls         = yes
map acl inherit      = yes
guest ok             = yes
browseable           = yes

# 90vfs_output
vfs objects = full_audit recycle
  recycle: exclude_dir = /tmp|/temp|/cache
  recycle: repository = Recycle Bin
  recycle: versions = True
  recycle: keeptree = True
  recycle: touch = True
  recycle: directory_mode = 0770
  recycle: exclude = *.tmp|*.temp|*.o|*.obj|~$*

Ok, you have the same samba log file setup I have in v7.

but… they’re all empty… this should be over and above samba-audit, it comes with file sharing install.

ns7sambalogs.jpg933×754 107 KB

Shit. Here’s one of my 6.8 production installs. Damn.

ns68sambalogconfig.jpg715×125 11.3 KB

and the samba-audit section of the same conf… I’ll have to pull eveyone off the server and reboot it during lunch I guess and see what the log level sets at.

Son of a… @GG_jr You. The. Man.

As I said long time ago, a sysadmin is a very busy man (or woman) and may do mistakes!
You are not a machine!
I’m glad that I could help you!

Well, my v6.8 samba-audit install works now.

My v7 samba-audit does not, even post reboot, even though there are now entries in the /smbaudit.log and I can ‘follow’ my actions live in ‘view logs’.

On my NS 7b2 test machine, I have installed all test modules.
Maybe is something that I have installed for test and you don’t (you have a production system).
Let’s wait to synchronize all mirrors to make the updates.