hi, it's me again
after playing a bit, I've found a solution.. I'm actually testing on my production server
1) create the dir tree under templates-custom and enter the new dir
mkdir -p /etc/e-smith/templates-custom/etc/smb.conf/ibays/
cd /etc/e-smith/templates-custom/etc/smb.conf/ibays/
2) create a new fragment
pico 10smbaudit
3) fill it with this code
{
$OUT = "";
return unless (($ibay->prop('Audit') || 'disabled') eq 'enabled');
$ibay_vfs->{full_audit}->{prefix} = "%u|%I|%S";
$ibay_vfs->{full_audit}->{failure} = "connect";
$ibay_vfs->{full_audit}->{success} = "opendir mkdir rmdir open write rename unlink";
$ibay_vfs->{full_audit}->{facility} = "local5";
$ibay_vfs->{full_audit}->{priority} = "notice";
}
4) save it with Ctrl-X, y
5) now enable auditing..
db accounts setprop ibayname Audit enabled
Note: it's a capital a, it's case sensitive
6) expand template and restart smb service with
signal-event ibay-modify ibayname
in /var/log/messages you'll find something like
Aug 19 23:54:41 srvsrv smbd_audit: stefano|10.0.0.13|storage|unlink|ok|Options/pippo
Aug 19 23:54:43 srvsrv smbd_audit: stefano|10.0.0.13|storage|opendir|ok|Options
Aug 19 23:54:43 srvsrv smbd_audit: stefano|10.0.0.13|storage|opendir|ok|Options
Aug 19 23:54:43 srvsrv smbd_audit: stefano|10.0.0.13|storage|mkdir|ok|Options/pippo
Aug 19 23:54:50 srvsrv smbd_audit: stefano|10.0.0.13|storage|opendir|ok|Options
Aug 19 23:54:50 srvsrv smbd_audit: stefano|10.0.0.13|storage|opendir|ok|Options
Aug 19 23:54:50 srvsrv smbd_audit: stefano|10.0.0.13|storage|rename|ok|Options/pippo|Options/topolino
Aug 19 23:54:55 srvsrv smbd_audit: stefano|10.0.0.13|storage|opendir|ok|Options
Aug 19 23:54:55 srvsrv smbd_audit: stefano|10.0.0.13|storage|opendir|ok|Options/topolino
Aug 19 23:54:55 srvsrv smbd_audit: stefano|10.0.0.13|storage|rmdir|ok|Options/topolino
if you want to have a separate log file for it, you have to create custom templates form /etc/syslog.conf and /etc/logrotate.d
I will raise a NFR for this fragment