Beiträge von GonsoGutierrez

Hi!

With these options you are logging user connections and disconnections (not ever), data reads and write (in last samba versión added to OMV this isn't working), directory creation, file & dir renaming and file & dir deleting.

Try to add "openat" or "fcntl" to increment verbosity (maybe will be necessary to you)

Take in account that move is create a new file and delete the original.

At the moment I didn't find a better solution ever using other supposed operations available like: read & write (with their respective variant), etc.

Best wishes and give us feedback..

Hi! What a coincidence! I have just a post a comment about that some minutes ago.

The problem is the vfs_full_audit module used in Samba. They change operations values quite often and (I think) randomly and meaninless.

Look my post. I home it could help you...

King regards.

Hi! Seems that the problem persists nowadays.

OMV, by default, already configures invalid operation values for vfs_full_audit module in Samba. So, by default, a full audit logging is activated and you are going to found lot of "trash" in the logs (all operations are logged). I think that this vfs_full_audit module behaviour sucks... sigh...

I have searched and investigated a little and at the moment I discovered that the below options are working (but something changed again recently in vfs_full_audit and pread & pwrite don't do nothing at all now).

Here is what I do (you could use it as a script):

# Registering user, ip, netbios name and object with full path.

omv-env set -- OMV_SAMBA_SHARE_AUDIT_PREFIX "%u|%I|%m|%S"

# Logging connections, disconnections, reads (not working), writes (not working), dir creation, renaming (associated to files & dirs and also sometimes object creation) and deleting (dir & files). You could add "openat" or "fcntl", but are too verbose.

omv-env set -- OMV_SAMBA_SHARE_AUDIT_SUCCESS "connect disconnect pread pwrite mkdirat renameat unlinkat"

# By default at OMV, actually it isn't necessary to set it up

omv-env set -- OMV_SAMBA_SHARE_AUDIT_FAILURE "connect"

# Using a specific log file, but it you could keep it in local7 if you prefer (syslog log file). It is necessary to configure syslog and logrotate.

omv-env set -- OMV_SAMBA_SHARE_AUDIT_FACILITY "local5"

# By default at OMV, actually it isn't necessary to set it up

omv-env set -- OMV_SAMBA_SHARE_AUDIT_PRIORITY "NOTICE"

# And finally we configure OMV...

monit restart omv-engined

omv-salt stage run prepare

omv-salt stage run deploy

The last one last a little, be patient. Now those omv environment variables are set up and omv is configured, so when you check "audit" in a share, audit options are configured correctly into "smb.conf" file.

I hope that vfs_full_audit module will stop changing operations values and their meaning this way... this is crazy. Specially in a production environment. Options above aren't the best for me, because I miss some activity, but I haven't found anything better at the moment.

Maybe developers could consider to change the actual default operation values to updated ones, but I understand that this is a nightmare.

Hope that this could be useful to anyone. I'm going to keep following this functionality because it is quite important for me.

Kind regards.