Samba
Default Samba logging writes debug information and event data (such as users connecting to a share) to files specified by the parameter in Samba config smb.conf
. For example:
- log file = /var/log/samba/%m.log
Default Samba logs have limited use. They are very noisy, containing a lot of redundant information and are generated in multiline format, which makes them hard to parse. Due to those reasons Logmanager Samba parser was created for File Access logs only and will not work with default Samba logs.
Enabling file access logging can potentially overload your system – especially if your shares are highly utilized. Always make sure to configure proper log rotation.
To audit file operations on Samba share you need to have VFS Full Audit module available. It should be automatically installed with Samba, but you can double check by running below command: [Ubuntu/Debian example]: dpkg -s samba-vfs-modules
In case package will no be present in your system you can install it by running: [Ubuntu/Debian example]: apt-get install samba-vfs-modules
After confirming VFS Full Audit module is available, edit samba config smb.conf
(usually in /etc/samba/smb.conf
)
Then add following lines to whichever share you want to monitor:
vfs objects = full_audit
full_audit:failure = none
full_audit:success = mkdir rename unlink rmdir open pwrite connect
full_audit:prefix = %u|%I|%m|%S
full_audit:facility = local7
full_audit:priority = NOTICE
Example:
[Logmanager]
path = /home/logmanager/
browseable = yes
read only = no
writable = yes
guest ok = yes
vfs objects = full_audit
full_audit:failure = none
full_audit:success = mkdir rename unlink rmdir open pwrite connect
full_audit:prefix = %u|%I|%m|%S
full_audit:facility = local7
full_audit:priority = NOTICE
Reload Samba for changes to take effect: [ubunut/debian]: systemctl restart smbd
Now any action made to a file in above share will create a log in default system log :file:/var/log/messages
.
log facility is set to LOCAL7 in line full_audit:facility = local7. This value is required for file redirection described below. If any other log source in your system is already using this facility, make sure to use different value for Samba.
You can ship whole /var/log/messages
to Logmanager, but apart from Samba logs it will also contain other system messages, so unless you are interested in monitoring those, we suggest writing Samba logs to separate file and ship it independently from system messages.
To redirect Samba File Access logs to different file you need to configure your syslog deamon.
Example for Syslog-ng:
Add following lines to /etc/syslog-ng/syslog-ng.conf
:
#Set output file
destination d_samba { file("/var/log/samba.log"); };
#Set filter based on facility equal to local7
filter f_samba { facility(local7); };
#Combine above: take source (system messages) -> filter it by facility -> save to destination file
log { source(s_src); filter(f_samba); destination(d_samba); };
Remember to reload syslog deamon for changes to take effect.
Example for Syslog-ng:
[ubunut/Debian]: systemctl restart syslog-ng
All the logs from Samba File Access will be now redirected to /var/log/samba.log
.
Make sure to configure you syslog deamon to forward this file to Logmanager as it won’t happen by default. Instructions on file forwarding for Linux Syslog-NG and Linux Rsyslog are available in Logmanager documentation.