Samba share and file access logging

NethServer Version: 6.8 and 7
Module: logging

I’m having trouble with this. I discovered that in testing ns7 I couldn’t find any file access logging.
I installed samba-audit, but even after accessing share files to create logs, I can find no logging, not from samba-audit or from searching the logs from the gui, or at shell for the unique file name accessed. I looked at my 6.8 installs, installed samba-audit in one of them, which is quite busy, and I can find no logging, anywhere.

I can only find one page about samba-audit in the dev docs.

What am I missing here?

AFAIK, samba-audit logs are in /var/log/messages.
The web UI scans the log file to produce reports.

Not here in 6.8.

this is /messages you can see me initiating the reload action from the samba-audit gui page but not the edit of a uniquely named txt file.

Oct 18 14:58:06 server7b logger: Rotating smbaudit logs 0 Oct 18 14:58:20 server7b logger: Rotating smbaudit logs 0 Oct 18 14:58:20 server7b sshd[16623]: Did not receive identification string from 192.168.124.107 Oct 18 14:58:23 server7b logger: Rotating smbaudit logs 0 Oct 18 14:59:32 server7b logger: Rotating smbaudit logs 0 Oct 18 14:59:41 server7b logger: Rotating smbaudit logs 0 Oct 18 15:00:08 server7b logger: Rotating smbaudit logs 0 Oct 18 15:03:10 server7b smbd[16680]: [2016/10/18 15:03:10.216770, 0] printing/print_cups.c:151(cups_connect) Oct 18 15:03:10 server7b smbd[16680]: Unable to connect to CUPS server localhost:631 - Connection refused Oct 18 15:03:10 server7b smbd[2329]: [2016/10/18 15:03:10.229434, 0] printing/print_cups.c:528(cups_async_callback) Oct 18 15:03:10 server7b smbd[2329]: failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL Oct 18 15:06:35 server7b sshd[16692]: Accepted password for root from 192.168.124.126 port 54803 ssh2 Oct 18 15:16:10 server7b smbd[16747]: [2016/10/18 15:16:10.748625, 0] printing/print_cups.c:151(cups_connect) Oct 18 15:16:10 server7b smbd[16747]: Unable to connect to CUPS server localhost:631 - Connection refused Oct 18 15:16:10 server7b smbd[2329]: [2016/10/18 15:16:10.748988, 0] printing/print_cups.c:528(cups_async_callback) Oct 18 15:16:10 server7b smbd[2329]: failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL Oct 18 15:29:11 server7b smbd[17225]: [2016/10/18 15:29:11.449404, 0] printing/print_cups.c:151(cups_connect) Oct 18 15:29:11 server7b smbd[17225]: Unable to connect to CUPS server localhost:631 - Connection refused Oct 18 15:29:11 server7b smbd[2329]: [2016/10/18 15:29:11.456000, 0] printing/print_cups.c:528(cups_async_callback) Oct 18 15:29:11 server7b smbd[2329]: failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL Oct 18 15:42:12 server7b smbd[17833]: [2016/10/18 15:42:12.081606, 0] printing/print_cups.c:151(cups_connect) Oct 18 15:42:12 server7b smbd[17833]: Unable to connect to CUPS server localhost:631 - Connection refused Oct 18 15:42:12 server7b smbd[2329]: [2016/10/18 15:42:12.170144, 0] printing/print_cups.c:528(cups_async_callback) Oct 18 15:42:12 server7b smbd[2329]: failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL Oct 18 15:42:13 server7b logger: Rotating smbaudit logs 0 Oct 18 15:42:14 server7b logger: Rotating smbaudit logs 0 Oct 18 15:42:26 server7b logger: Rotating smbaudit logs 0 Oct 18 15:42:46 server7b logger: Rotating smbaudit logs 0

Hi @fasttech ,

I didn’t have issues with Samba audit on NS 7b2 (test machine).
The only thing that I’ve made was to reboot the NS after I’ve installed Samba audit module.

That’s pretty. Do you know where those logs are in the file system for 6.8 or 7?
I’ve rebooted v7 post install of samba-audit, but there should have been logs somewhere even before I installed samba-audit. Is there a change to logging verbosity in samba config when samba-audit is installed?

For NS 7b2 (not in Administration -> Log viewer):

What do you mean, smbaudit.log is there in 6.8 and 7, just empty.

here’s my 6.8 install, not rebooted since samba-audit install, (production), empty logs.

You’re right!
I have looked for “samba” not “smb”!

I’m old and blind!

Did you create a shared folder and tried to access it from network?

Dude, it’s production, there’s a dozen people in there now.

1 Like

Here’s my 7 install, post reboot since samba-audit install, empty logs.

WTH? I’m cursed.

I really don’t know!

**_EDIT:_**
Maybe something went wrong during Samba audit module installation

Here is my smb.conf:

# 

[global]
#
# 10base
#
workgroup = TEST
server string = NethServer 7.2.1511 beta2 (Samba %v)
security = ADS
realm = TEST.ABT.RO
kerberos method = secrets and keytab
netbios name = PDC-AD


[global]

# log files split per-machine:
log file = /var/log/samba/log.%m
# maximum size of 50KB per log file, then rotate:
max log size = 50

# Only bind to allowed NIC's
bind interfaces only = yes
interfaces = 127.0.0.1 192.168.1.0/24
hosts allow = 127.0.0.1 192.168.1.0/255.255.255.0

# Idle time before disconnecting the client
deadtime = 10080

# Alias NETBIOS names, used to provide access to Samba via multiple hostnames

netbios aliases = 

; WINS setup (other server)
wins server = 
remote announce = 
remote browse sync = 

; Guest access (#1882). Shares must be guest-ok, to allow it.
map to guest = Bad User

; create home dirs if missing (#5090)
obey pam restrictions = yes
# SambaAudit configuration
full_audit:prefix = smbauditlog|%T|%u|%I|%S|%U
full_audit:success = read write open unlink mkdir rmdir rename chmod 
full_audit:failure = read write open unlink mkdir rmdir rename chmod  
full_audit:facility = LOCAL7
full_audit:priority = INFO

;
; Home directories
;
[homes]
comment = Home directories
browseable = no
writable = yes
create mode = 0660
force create mode = 0660
directory mode = 0770
force directory mode = 0770

;
; Added to support printer drivers download
; This share is writable according to Unix file permissions
;
[print$]
comment = Printer drivers
path = /var/lib/nethserver/print_driver
guest ok = yes
browseable = yes
writable = no


#
# 10base -- ibay storage_1 definition. 
#           Required profile is ""
#           Applied profile is "default"
#
[storage_1]
path = /var/lib/nethserver/ibay/storage_1
comment = storage_1
# 20profile_default:
read only            = no
inherit permissions  = yes
; Add group write bit to default create mask, remove DOS archive bit (see below) #2039
create mask          = 0664 
inherit owner        = yes
; Use extended attribute to store DOS attributes (see man page)
store dos attributes = yes  
map archive          = no
map readonly         = no
inherit acls         = yes
map acl inherit      = yes
guest ok             = yes
browseable           = yes

# 90vfs_output
vfs objects = full_audit recycle
  recycle: exclude_dir = /tmp|/temp|/cache
  recycle: repository = Recycle Bin
  recycle: versions = True
  recycle: keeptree = True
  recycle: touch = True
  recycle: directory_mode = 0770
  recycle: exclude = *.tmp|*.temp|*.o|*.obj|~$*

Ok, you have the same samba log file setup I have in v7.

but… they’re all empty… this should be over and above samba-audit, it comes with file sharing install.

Shit. Here’s one of my 6.8 production installs. Damn.

and the samba-audit section of the same conf… I’ll have to pull eveyone off the server and reboot it during lunch I guess and see what the log level sets at.

Son of a… @GG_jr You. The. Man.

1 Like

As I said long time ago, a sysadmin is a very busy man (or woman) and may do mistakes!
You are not a machine!
I’m glad that I could help you!

2 Likes

Well, my v6.8 samba-audit install works now.

My v7 samba-audit does not, even post reboot, even though there are now entries in the /smbaudit.log and I can ‘follow’ my actions live in ‘view logs’.

On my NS 7b2 test machine, I have installed all test modules.
Maybe is something that I have installed for test and you don’t (you have a production system).
Let’s wait to synchronize all mirrors to make the updates.