it is strange that i had audit logs from yesterday and this morning, until i tried to back out those parameters.
Even though i have put them back, i am back to no audit log again.
I really do not understand why you need to do that. The SMB configuration of OMV works.
i do wonder though, the default config has "logging = syslog" - which i believe is no longer valid
I finally had to comment that.
The option logging = syslog IS valid and not deprecated. The official documentation for that option does not mention that and running samba-tool testparm --suppress-prompt does not show an error nor syslog/journald does output a warning when starting smbd.
put everything back to default. have only the below.
bind interfaces only = yes
dns proxy = yes
server min protocol = SMB2_10
client min protocol = SMB2
client max protocol = SMB3
no audit logs.
Please try the following, the problem is surely not the smb.conf created by OMV, it's something with your system that is not working correct.
- Is journald running? systemctl status systemd-journal
- Undo ALL your customizations, enable the Audit switch for all shares you want and run omv-salt deploy run samba
- Start journalctl -f --quiet --no-pager SYSLOG_IDENTIFIER='smbd_audit' in a shell
- Copy or delete a file via SMB
- The activity must be logged by journalctl
If this does not work, then uninstall the flash memory plugin and try again.
If you are shutting down the system properly, the flashmemory plugin syncs all data back to the real directories. Nothing should be lost.
Please try the following, the problem is surely not the smb.conf created by OMV, it's something with your system that is not working correct.
- Is journald running? systemctl status systemd-journal
I think there is something wrong with that line. i get
Unit journal.service could not be found
but if i run journalctl -ax i get items at the current time from the current boot
- Undo ALL your customizations, enable the Audit switch for all shares you want and run omv-salt deploy run samba
- Start journalctl -f --quiet --no-pager SYSLOG_IDENTIFIER='smbd_audit' in a shell
So they are definitely being logged, but they are not displayed through the gui syslogs - SMB Audit selection
May 11 07:51:42 nas.net.lan smbd_audit[1502]: media closed file FamilyVideos/MVI_1857.mkv (numopen=1) NT_STATUS_OK
May 11 07:51:46 nas.net.lan smbd_audit[1502]: [2020/05/11 07:51:46.064229, 2] ../source3/smbd/close.c:802(close_normal_file)
May 11 07:51:46 nas.net.lan smbd_audit[1502]: media closed file FamilyVideos/MVI_1857.mkv (numopen=0) NT_STATUS_OKCan you please use the following command line for testing. The output should then look like this.
# journalctl --quiet --no-pager --priority='notice' SYSLOG_FACILITY=23 SYSLOG_IDENTIFIER='smbd_audit'
May 11 06:32:09 omv5box smbd_audit[1248]: vot|192.172.16.1|arrakis|/srv/dev-disk-by-id-scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-0-1-part1/test|test|unlink|ok|/srv/dev-disk-by-id-scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-0-1-part1/test/dummy_data.jsonCan you please use the following command line for testing. The output should then look like this.
Code# journalctl --quiet --no-pager --priority='notice' SYSLOG_FACILITY=23 SYSLOG_IDENTIFIER='smbd_audit' May 11 06:32:09 omv5box smbd_audit[1248]: vot|192.172.16.1|arrakis|/srv/dev-disk-by-id-scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-0-1-part1/test|test|unlink|ok|/srv/dev-disk-by-id-scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-0-1-part1/test/dummy_data.json
just dropped straight back to command prompt and didn|t display anything
I'm sorry, i'm out now. The issue works for me on several machines and i know that users are using this feature. So the problem seems to exist only on your machine.
I'm sorry, i'm out now. The issue works for me on several machines and i know that users are using this feature. So the problem seems to exist only on your machine.
if i remove the SYSLOG_FACILITY=23 i get output showing connections from different machines...
if i remove the SYSLOG_FACILITY=23 i get output showing connections from different machines...
The OMV default configuration of the audit_full VFS module is full_audit:facility = local7 which is SYSLOG_FACILITY=23 (https://en.wikipedia.org/wiki/Syslog#Message_components).
The OMV default configuration of the audit_full VFS module is full_audit:facility = local7 which is SYSLOG_FACILITY=23 (https://en.wikipedia.org/wiki/Syslog#Message_components).
hey votdev , i tried my luck with cycling through the syslog_facility numbers and they show up under 3 not 23.
file open, nt status ok, etc.
could this be legacy config settings from earlier OMV3 or OMV4?
hey votdev , i tried my luck with cycling through the syslog_facility numbers and they show up under 3 not 23.
file open, nt status ok, etc.
could this be legacy config settings from earlier OMV3 or OMV4?
No, why that? The configuration is done based on the documentation and the man-pages for the smb.conf and journalctl versions used in Debian 10.
I see you modified the code base to remove the sys_log=23
https://github.com/openmediava…9ac38c006b49aab6f49239b72
I have just made the change to my system to see if it works, but no effect. Do i have to run any commands to see it picked up, or just what till next release
So implementing this change didn't fix it on my side, nor did setting the value to 3.
The UPS log doesn't show anything in the user interface either.
is there a way to compare the files that are on the system vs the current omv build to show which ones are different.
My system has come from 3->4->5 and i wonder if there are residue that is breaking things. docker doesn't work for me either.
I see you modified the code base to remove the sys_log=23
Using the facility in the query is not necessary to get the wanted data.
If the query works for your with SYSLOG_FACILITY=3
I have just made the change to my system to see if it works, but no effect. Do i have to run any commands to see it picked up, or just what till next release
No, not necessary.
The UPS log doesn't show anything in the user interface either.
IMO another indication that something with your syslog and/or systemd settings differ to an Debian 10. But i have no idea where to start searching. Because of such issues there is no official migration from Debian 9 to 10.
is there a way to compare the files that are on the system vs the current omv build to show which ones are different.
My system has come from 3->4->5 and i wonder if there are residue that is breaking things. docker doesn't work for me either.
Sure, but that's much work. I would unplug the main device of your NAS, connect it to a Linux box and mount the NAS root filesystem, then i would setup the OMV Vagrant box and mount the root filesystem of that image, too. Finally you could run a diff tool atop of both filesystems.
Alles anzeigenUsing the facility in the query is not necessary to get the wanted data.
If the query works for your with SYSLOG_FACILITY=3
No, not necessary.
IMO another indication that something with your syslog and/or systemd settings differ to an Debian 10. But i have no idea where to start searching. Because of such issues there is no official migration from Debian 9 to 10.
Sure, but that's much work. I would unplug the main device of your NAS, connect it to a Linux box and mount the NAS root filesystem, then i would setup the OMV Vagrant box and mount the root filesystem of that image, too. Finally you could run a diff tool atop of both filesystems.
sounds like i might be better off to do a clean install and restore the key settings i.e. kernel options.
is there are way to backup just the omv config e.g. config.xml and other key files, then restore them onto a clean install
on another note. to get the amd64-microcode installed i had to modify sources.list
from
deb http://ftp.de.debian.org/debian/ buster main
To
deb http://ftp.de.debian.org/debian/ buster main non-free
to be able to get it. If i put them both in, it complained about duplicate sources.
shouldn't that be available from the initial install
shouldn't that be available from the initial install
No, because non-free contains software that does not comply the Debian free software guidelines.
votdev hey man, i don't understand how it can be working.
the smbd_audit entries are being written to /var/syslog - in the default configuration
The code below, line 265 in openmediavault/deb/openmediavault/usr/share/openmediavault/engined/inc/90logfilespec.inc
shows it is looking for smbd_audit.log
That file exists, but is 0 - how are the entries supposed to get from syslog -> smbd_audit.log ?
\OMV\System\LogFileSpec::registerSpecification("smbdaudit", [
"command" => "export SYSTEMD_COLORS=0; journalctl --quiet --no-pager ".
"--priority='notice' --identifier='smbd_audit' --output=short",
"filename" => "smbd_audit.log",
"regex" => "/^(\S+\s+\d+\s+\d{2}:\dAlles anzeigenvotdev hey man, i don't understand how it can be working.
the smbd_audit entries are being written to /var/syslog - in the default configuration
The code below, line 265 in openmediavault/deb/openmediavault/usr/share/openmediavault/engined/inc/90logfilespec.inc
shows it is looking for smbd_audit.log
That file exists, but is 0 - how are the entries supposed to get from syslog -> smbd_audit.log ?
Code\OMV\System\LogFileSpec::registerSpecification("smbdaudit", [ "command" => "export SYSTEMD_COLORS=0; journalctl --quiet --no-pager ". "--priority='notice' --identifier='smbd_audit' --output=short", "filename" => "smbd_audit.log", "regex" => "/^(\S+\s+\d+\s+\d{2}:\d
This is incorrect. On a system that is using systemd and journald everything is written to the journal. If there is an old style syslog daemon installed, then /var/log/xxx files are populated, too.
The mentioned OMV code uses journalctl to query the necessary information from the journal. The code
"filename" => "smbd_audit.log",is simply the name to be used when you download the file via UI.
Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!