Topic: How to disable full_audit option?

[Oziris]

Hi

Auditing make server slow. How can I disabled this option?

Thanks

[Stefano]

What auditing are you talking about?

[Oziris]

Hi

I'm talking those lines in smb.conf:

vfs objects = full_audit
  full_audit:priority=notice
  full_audit:success=mkdir rmdir chdir open close rename unlink connect disconnect
  full_audit:failure=mkdir rmdir chdir open close rename unlink connect disconnect
  full_audit:facility=local5
  full_audit:prefix=%u|%I|%m|%S

I think those lines slow my old server 

Regards

[Daniel B.]

You can disable it per ibay:

Code: [Select]

db accounts setprop <ibay name> Audit disabled
signal-event ibay-modify <ibay name>


[stephdl]

Thanks daniel, it seems that we don't have this db properties on ibay saved in the documentation...

http://wiki.contribs.org/DB_Variables_Configuration#Ibay

do you know other db properties like this to save in the documentation.

edit : i spoke to fast, we have this http://wiki.contribs.org/DB_Variables_Configuration#Samba_per_i-bay_settings_.28smbd.29

[Daniel B.]

You can find all the available props in the templates /etc/e-smith/templates/etc/smb.conf/ibays/
From a quick look, there's:

• RecycleBin
• KeepVersions
• ShadowCopy
• cscPolicy
• Browseable
• OpLocks
• VetoOplockFiles

Most of those settings will be rarely used

[stephdl]

yes i have added them in the documentation. It could be nice if someone can start to read templates and report db not saved in the documentation

[Oziris]

Hi


I applied changes with:

db accounts setprop Primary Audit disabled
signal-event ibay-modify Primary

The smb.conf file has same lines:
vfs objects = full_audit
  full_audit:priority=notice
  full_audit:success=mkdir rmdir chdir open close rename unlink connect disconnect
  full_audit:failure=mkdir rmdir chdir open close rename unlink connect disconnect
  full_audit:facility=local5
  full_audit:prefix=%u|%I|%m|%S

...And auditing is still active:
Aug  4 20:39:51 ab7072 smbd[2283]: martin|192.168.2.105|mp02|prtg|open|ok|r|Tiger_Halloween
Aug  4 20:39:51 ab7072 smbd[2283]: martin|192.168.2.105|mp02|prtg|close|ok|Tiger_Halloween
Aug  4 20:39:51 ab7072 smbd[2283]: martin|192.168.2.105|mp02|prtg|open|ok|r|Tiger_Halloween
Aug  4 20:39:51 ab7072 smbd[2283]: martin|192.168.2.105|mp02|prtg|close|ok|Tiger_Halloween

What can I do?   

[guest22]

Maybe this helps

http://forums.contribs.org/index.php/topic,43062.msg204670.html#msg204670

Just watch the key 'Audit' (capital A) as per suggestion by Daniel above, and the 'audit' key (lower case 'a') used in the fragment. They should be the same. AFAIK by default the syntax/spelling for db keys always start with a capital.

HTH

ps. I wonder how those audit and vfs lines ended up in smb.conf in the first place. A new install of SME9 with a test ibay does not show these lines. Maybe a contrib? (sme8admin??)

[guest22]

Opened a bug: http://bugs.contribs.org/show_bug.cgi?id=8512

[stephdl]

What can I do?   

Do you have the same behaviour with another Ibay, for me the Primary ibay is a little special and I never use it. But in the mean while I cannot reproduce your behaviour since i can't find these lines in my smb.conf. ?????? on sme8 and sme9

vfs objects = full_audit
  full_audit:priority=notice
  full_audit:success=mkdir rmdir chdir open close rename unlink connect disconnect
  full_audit:failure=mkdir rmdir chdir open close rename unlink connect disconnect
  full_audit:facility=local5
  full_audit:prefix=%u|%I|%m|%S

can you post the content of /etc/e-smith/templates/etc/smb.conf/ibays/10smbaudit....you don't have  some custom templates ???

[Daniel B.]

...And auditing is still active:
Aug  4 20:39:51 ab7072 smbd[2283]: martin|192.168.2.105|mp02|prtg|open|ok|r|Tiger_Halloween
Aug  4 20:39:51 ab7072 smbd[2283]: martin|192.168.2.105|mp02|prtg|close|ok|Tiger_Halloween
Aug  4 20:39:51 ab7072 smbd[2283]: martin|192.168.2.105|mp02|prtg|open|ok|r|Tiger_Halloween
Aug  4 20:39:51 ab7072 smbd[2283]: martin|192.168.2.105|mp02|prtg|close|ok|Tiger_Halloween

What can I do?   

Those lines are about access to an ibay named prtg, so the settings of the Primary ibay won't affect it. Or maybe you are using the Shared Folder contrib ? (which provides the same audit function, except that it default to enabled instead of disabled on the ibays). Please, show us

Code: [Select]

db accounts show prtg


[Oziris]

Bonjour Daniel and Stephdl

Here we go:

Result for db accounts show prtg:

prtg=share
    DynamicContent=disabled
    Encryption=disabled
    InactivityTimeOut=
    Indexes=disabled
    Name=Partage
    Pydio=disabled
    ReadGroups=
    ReadUsers=
    RecycleBin=disabled
    RecycleBinRetention=unlimited
    RequireSSL=disabled
    WebDav=enabled
    WriteGroups=
    WriteUsers=martin,terry
    httpAccess=none
    smbAccess=browseable

Here is the content for /etc/e-smith/templates/etc/smb.conf/ibays/10smbaudit:

{
    $OUT = "";
    return unless (($ibay->prop('Audit') || 'disabled') eq 'enabled');

    $ibay_vfs->{full_audit}->{prefix} = "%u|%I|%S";                                                   
    $ibay_vfs->{full_audit}->{failure} = "connect";
    $ibay_vfs->{full_audit}->{success} = "opendir mkdir rmdir open write rename unlink";   
    $ibay_vfs->{full_audit}->{facility} = "local5";
    $ibay_vfs->{full_audit}->{priority} = "notice";
}


Best regards

[Daniel B.]

Ok, so prtg is a shared folder, not an ibay. The audit feature is the same between both, except audit defaults to enabled on shared folders. Just turn it off like this:

Code: [Select]

db accounts setprop prtg Audit disabled
signal-event share-modify prtg


[Oziris]

Bonjour Daniel

Oh yes! it works now! Here is the result:

Aug  6 05:56:19 ab7072 /sbin/e-smith/db[3671]: /home/e-smith/db/accounts: OLD prtg=share|DynamicContent|disabled|Encryption|disabled|InactivityTimeOut||Indexes|disabled|Name|Partage|Pydio|disabled|ReadGroups||ReadUsers||RecycleBin|disabled|RecycleBinRetention|unlimited|RequireSSL|disabled|WebDav|enabled|WriteGroups||WriteUsers|martin,terry|httpAccess|none|smbAccess|browseable
Aug  6 05:56:19 ab7072 /sbin/e-smith/db[3671]: /home/e-smith/db/accounts: NEW prtg=share|Audit|disabled|DynamicContent|disabled|Encryption|disabled|InactivityTimeOut||Indexes|disabled|Name|Partage|Pydio|disabled|ReadGroups||ReadUsers||RecycleBin|disabled|RecycleBinRetention|unlimited|RequireSSL|disabled|WebDav|enabled|WriteGroups||WriteUsers|martin,terry|httpAccess|none|smbAccess|browseable
Aug  6 05:56:34 ab7072 esmith::event[3672]: Processing event: share-modify prtg

I browsed a few files and no more auditing!
I'm pretty sure that will speed up my server.

Thanks so much for your help!