Tracking user activity on server, SMB/CIFS

    This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

    • Tracking user activity on server, SMB/CIFS

      Hi there,

      we are running a file server with OMV and roughly twenty users. Unfortunately, one of our users seem to have started a deletion process and we therefore lost couply of TB on data. Luckily, the last backup was just a few days ago, so I'm currently restoring data. In the process of figuring out what exactly happened here, I found that I unfortunately did not set any logging for samba shares so far.

      In order to track all user activities regarding file handling (copy, move, erase processes), I set the SMB/CIFS log level to "full" now. This has been written to the /etc/samba/smb.conf file as well (log level = 3, syslog = 3). Log files are written for each machine (log file = /var/log/samba/log.%m). However, all these files are empty.
      During any file handling process, the OMV gui itself lists all user activities under Diagnostics/Services/SMB/CIFS, giving logged users, services and locked files. Especially the latter ist what I'm interested in and what I'd like to log into the user files. Any suggestions how to do this?

      Furthermore, I think that SMB/CIFS logs do not log any activities when users are connected to the server via SSH (terminal) and mount folders via SSHFS. How do I track these activities?

      Thanks,
      Arne
    • Re: Tracking user activity on server, SMB/CIFS

      I just recognized that SMB user activities are shown in the OMV gui under System Logs/Syslog. Logs are however a bit strange: If I open and close a file on the server (Windows SMB network connection), I get 48 entries (half/half) for opening and closing that single file once.
      When I delete that file on the server, this is again logged as opening/closing with the same amount of entries, erasing (as word "erasing" or similar) itself is however not logged as such.
    • Re: Tracking user activity on server, SMB/CIFS

      Thanks for the link! I managed to configure full_audit, also following a short tutorial here moiristo.wordpress.com/2009/08…ba-logging-user-activity/ as a first step.
      Logging into syslog works now for SMB shares. Curiously, for any pwrite activities (moving a file to the share), I sometimes get up to ten entries for that single file and action, giving all the same information. For other files, this does not happen. Any hints?

      I furthermore found that with these entries

      Source Code

      1. vfs object = full_audit
      2. full_audit:prefix = %u|%I|%m: %S
      3. full_audit:success = mkdir pwrite rename unlink rmdir
      4. full_audit:failure = none
      5. full_audit:priority = NOTICE

      logging is only active if the recycle bin is not enabled for a share. Even file creation and renaming is not logged when using the recycle bin. However I'd like to have both: recycle bin and logging.
    • Re: Tracking user activity on server, SMB/CIFS

      Not sure why there is a difference with the number of entries. As for the recycle bin issue, you should compare the /etc/samba/smb.conf with and without the recycle bin enabled. Maybe that would show something obvious??
      omv 4.1.8.2 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.8
      omv-extras.org plugins source code and issue tracker - github.com/OpenMediaVault-Plugin-Developers

      Please read this before posting a question.
      Please don't PM for support... Too many PMs!
    • Re: Tracking user activity on server, SMB/CIFS

      Hmm no, unfortunately no real difference in smb.conf files. Of course, with recycle bin enabled, the addition lines in share definitions are

      Source Code

      1. vfs objects = recycle
      2. recycle:repository = .recycle/%U
      3. recycle:keeptree = yes
      4. recycle:versions = yes
      5. recycle:touch = yes
      6. recycle:directory_mode = 0777
      7. recycle:subdir_mode = 0700
      8. recycle:exclude =
      9. recycle:exclude_dir =
      10. recycle:maxsize = 0


      However, no change in the global settings. In the meantime, I have also changed the samba log level from none to full - no difference.
      Interestingly, there is an automatic file saving script running for a file on the share, which was started before I activated the recycle bin today. This event is logged as it should.
    • Re: Tracking user activity on server, SMB/CIFS

      the vfs objects = recycle is overriding the vfs objects = full_audit. In order to fix, it needs a change in OMV. You can file a feature request on bugtracker.
      omv 4.1.8.2 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.8
      omv-extras.org plugins source code and issue tracker - github.com/OpenMediaVault-Plugin-Developers

      Please read this before posting a question.
      Please don't PM for support... Too many PMs!