SMB too much audit logs

  • Hello,

    after upgrading from 5.x.y to 6.x.y some time ago I came across the problem with samba audit logs. The amount of it is too large that the system partition fills up in a day or two. Disabling audit logs on webgui helped to extend that time to 4-5 days. So, now to get access to webgui I have to manually clean log files sometimes :(

    My system partition is 16GB which for 5.x.y was totally enough and as viewing the requirements for 6.x.y it also should be.

    I was trying to use more agressive logrotate config or to change system partition size, but these are not exact solutions.

    Anyone had similar problem? Can you help me with any solution for this?

    Actually I am on 6.3.2-2.

    I am new in omv, but if you want more details or config setups I will try to show it. :)

  • Hi! What a coincidence! I have just a post a comment about that some minutes ago.

    The problem is the vfs_full_audit module used in Samba. They change operations values quite often and (I think) randomly and meaninless.

    Look my post. I home it could help you...

    King regards.

  • Well, Your solution seems to be working fine if we talk about too much logging.

    But for me it is too small for now. I mean, I would like to have some logs about copying/moving the files or deleting by the users, but as I can see there is no such an information.

    Is this line is responsible for logging such details that I ve mentioned above? Tried to add some lines from samba manuals, but with no result. Every time problem went to the starting point with too much logging :/

    omv-env set -- OMV_SAMBA_SHARE_AUDIT_SUCCESS "connect disconnect pread pwrite mkdirat renameat unlinkat"

    Can I do something to obtain logs like that?


  • Hi!

    With these options you are logging user connections and disconnections (not ever), data reads and write (in last samba versión added to OMV this isn't working), directory creation, file & dir renaming and file & dir deleting.

    Try to add "openat" or "fcntl" to increment verbosity (maybe will be necessary to you)

    Take in account that move is create a new file and delete the original.

    At the moment I didn't find a better solution ever using other supposed operations available like: read & write (with their respective variant), etc.

    Best wishes and give us feedback..

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!