Topic: Log File with Users Access on Server's Folder

[swifferina]

Hi!
I need to know if it's possible on Sme Server 7 to have a Log File with all the Users access to the Server's shared folders (date/time and Mac Address of the computer that has been connected to the server).
Thanks
Valentina

[Stefano]

Hi Valentina

actually such a feature is not present..

you could take a look at smbaudit

HTH

[Stefano]

sorry, my bad.. I should answer only after the second cup of cofee

read this topic..

I think you need a custom template to enable auditing

[Stefano]

hi, it's me again

after playing a bit, I've found a solution.. I'm actually testing on my production server

1) create the dir tree under templates-custom and enter the new dir

Code: [Select]

mkdir -p /etc/e-smith/templates-custom/etc/smb.conf/ibays/
cd /etc/e-smith/templates-custom/etc/smb.conf/ibays/

2) create a new fragment

Code: [Select]

pico 10smbaudit

3) fill it with this code

Code: [Select]

{
    $OUT = "";
    return unless (($ibay->prop('Audit') || 'disabled') eq 'enabled');

    $ibay_vfs->{full_audit}->{prefix} = "%u|%I|%S";                                                   
    $ibay_vfs->{full_audit}->{failure} = "connect";
    $ibay_vfs->{full_audit}->{success} = "opendir mkdir rmdir open write rename unlink";   
    $ibay_vfs->{full_audit}->{facility} = "local5";
    $ibay_vfs->{full_audit}->{priority} = "notice";
}
 
4) save it with Ctrl-X, y
5) now enable auditing..

Code: [Select]

db accounts setprop ibayname Audit enabled

Note: it's a capital a, it's case sensitive

6) expand template and restart smb service with

Code: [Select]

signal-event ibay-modify ibayname

in /var/log/messages you'll find something like

Code: [Select]

Aug 19 23:54:41 srvsrv smbd_audit: stefano|10.0.0.13|storage|unlink|ok|Options/pippo
Aug 19 23:54:43 srvsrv smbd_audit: stefano|10.0.0.13|storage|opendir|ok|Options
Aug 19 23:54:43 srvsrv smbd_audit: stefano|10.0.0.13|storage|opendir|ok|Options
Aug 19 23:54:43 srvsrv smbd_audit: stefano|10.0.0.13|storage|mkdir|ok|Options/pippo
Aug 19 23:54:50 srvsrv smbd_audit: stefano|10.0.0.13|storage|opendir|ok|Options
Aug 19 23:54:50 srvsrv smbd_audit: stefano|10.0.0.13|storage|opendir|ok|Options
Aug 19 23:54:50 srvsrv smbd_audit: stefano|10.0.0.13|storage|rename|ok|Options/pippo|Options/topolino
Aug 19 23:54:55 srvsrv smbd_audit: stefano|10.0.0.13|storage|opendir|ok|Options
Aug 19 23:54:55 srvsrv smbd_audit: stefano|10.0.0.13|storage|opendir|ok|Options/topolino
Aug 19 23:54:55 srvsrv smbd_audit: stefano|10.0.0.13|storage|rmdir|ok|Options/topolino

if you want to have a separate log file for it, you have to create custom templates form /etc/syslog.conf and /etc/logrotate.d

I will raise a NFR for this fragment

[cactus]

I will raise a NFR for this fragment

After doing so please post a reference, saves me and future readers some searching.

[cactus]

Here is some information (not sure if it is still valid) to fine tune your solution, for instance logging to a separate file in the samba log folder: http://a32.me/2009/10/samba-audit-trail/

I think such a solution is preferred to logging in /var/log/messages in regards to your NFR.

[Stefano]

After doing so please post a reference, saves me and future readers some searching.

will do..

cactus, could you please contact me off-line? thank you

[Stefano]

Here is some information (not sure if it is still valid) to fine tune your solution, for instance logging to a separate file in the samba log folder: http://a32.me/2009/10/samba-audit-trail/

I think such a solution is preferred to logging in /var/log/messages in regards to your NFR.

I'm already testing it.. I made templates for syslog.conf and for logrotate.d
installed and testing on 5 servers, waiting to some feedback

I would like to write/find a  log parser to populate mysql db and use smbdaudit web interface..

[Stefano]

NFR 6176 in bugzilla