From: Darren Hildebrand on
I'm trying to set up a samba server to audit only the file operations
that I care about, which are create, modify, delete, and rename (for
files and folders). I've got the full_audit vfs module working well,
except that I haven't been able to figure out what to set it to log (in
the "full_audit:success" setting) to include file creation and
modification. If I log pwrite, then it floods the logs with many
entries for every single file write, especially when writing large
files. I get almost 200 messages when writing a 10 MB file. Is there
something I can log to make it write a single entry on file creation or
modification? "Write" doesn't seem to log anything, but pwrite is far
too verbose for my needs.

Also, creating an empty file doesn't seem to get logged either, even
with "link" in the full_audit:success setting. For example, if I
right-click in windows explorer and create a new text file without
changing the name, nothing is logged.

This is my current full_audit module configuration:

full_audit:prefix = %u|%I|%S
full_audit:success = mkdir rmdir write rename unlink pwrite link
full_audit:failure = none
full_audit:facility = local5
full_audit:priority = info

Is there a way to get full_audit to log the way I'm looking for? Or is
there another audit module that would do better? I'm just trying to end
up with a nice clean audit log without unneeded entries. Any ideas
would be greatly appreciated.


To unsubscribe from this list go to the following URL and read the