Tracking user activity on server, SMB/CIFS

  • Hi there,


    we are running a file server with OMV and roughly twenty users. Unfortunately, one of our users seem to have started a deletion process and we therefore lost couply of TB on data. Luckily, the last backup was just a few days ago, so I'm currently restoring data. In the process of figuring out what exactly happened here, I found that I unfortunately did not set any logging for samba shares so far.


    In order to track all user activities regarding file handling (copy, move, erase processes), I set the SMB/CIFS log level to "full" now. This has been written to the /etc/samba/smb.conf file as well (log level = 3, syslog = 3). Log files are written for each machine (log file = /var/log/samba/log.%m). However, all these files are empty.
    During any file handling process, the OMV gui itself lists all user activities under Diagnostics/Services/SMB/CIFS, giving logged users, services and locked files. Especially the latter ist what I'm interested in and what I'd like to log into the user files. Any suggestions how to do this?


    Furthermore, I think that SMB/CIFS logs do not log any activities when users are connected to the server via SSH (terminal) and mount folders via SSHFS. How do I track these activities?


    Thanks,
    Arne

  • I just recognized that SMB user activities are shown in the OMV gui under System Logs/Syslog. Logs are however a bit strange: If I open and close a file on the server (Windows SMB network connection), I get 48 entries (half/half) for opening and closing that single file once.
    When I delete that file on the server, this is again logged as opening/closing with the same amount of entries, erasing (as word "erasing" or similar) itself is however not logged as such.

    • Offizieller Beitrag

    Read all of this topic.

    omv 7.0-32 sandworm | 64 bit | 6.5 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.9 | compose 7.0.9 | cputemp 7.0 | mergerfs 7.0.3


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

  • Thanks for the link! I managed to configure full_audit, also following a short tutorial here http://moiristo.wordpress.com/…ba-logging-user-activity/ as a first step.
    Logging into syslog works now for SMB shares. Curiously, for any pwrite activities (moving a file to the share), I sometimes get up to ten entries for that single file and action, giving all the same information. For other files, this does not happen. Any hints?


    I furthermore found that with these entries

    Code
    vfs object = full_audit
    full_audit:prefix = %u|%I|%m: %S
    full_audit:success = mkdir pwrite rename unlink rmdir
    full_audit:failure = none
    full_audit:priority = NOTICE


    logging is only active if the recycle bin is not enabled for a share. Even file creation and renaming is not logged when using the recycle bin. However I'd like to have both: recycle bin and logging.

    • Offizieller Beitrag

    Not sure why there is a difference with the number of entries. As for the recycle bin issue, you should compare the /etc/samba/smb.conf with and without the recycle bin enabled. Maybe that would show something obvious??

    omv 7.0-32 sandworm | 64 bit | 6.5 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.9 | compose 7.0.9 | cputemp 7.0 | mergerfs 7.0.3


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

  • Hmm no, unfortunately no real difference in smb.conf files. Of course, with recycle bin enabled, the addition lines in share definitions are


    Code
    vfs objects = recycle
    recycle:repository = .recycle/%U
    recycle:keeptree = yes
    recycle:versions = yes
    recycle:touch = yes
    recycle:directory_mode = 0777
    recycle:subdir_mode = 0700
    recycle:exclude = 
    recycle:exclude_dir = 
    recycle:maxsize = 0


    However, no change in the global settings. In the meantime, I have also changed the samba log level from none to full - no difference.
    Interestingly, there is an automatic file saving script running for a file on the share, which was started before I activated the recycle bin today. This event is logged as it should.

    • Offizieller Beitrag

    the vfs objects = recycle is overriding the vfs objects = full_audit. In order to fix, it needs a change in OMV. You can file a feature request on bugtracker.

    omv 7.0-32 sandworm | 64 bit | 6.5 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.9 | compose 7.0.9 | cputemp 7.0 | mergerfs 7.0.3


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!