Deleted Files Report

[Fabio Rodrigues]

I would like to create a weekly report that lists the deleted files in a FreeNAS share. What would be the best way to do that? Run "diff" between the volume and a snapshot? Any suggestions?

 

[m0nkey_]

The best way to do this is by enabling the audit VFS object on your SMB share.

http://doc.freenas.org/11/sharing.html#windows-smb-shares
https://www.samba.org/samba/docs/man/manpages/vfs_audit.8.html

 

[Fabio Rodrigues]

The best way to do this is by enabling the audit VFS object on your SMB share.

http://doc.freenas.org/11/sharing.html#windows-smb-shares
https://www.samba.org/samba/docs/man/manpages/vfs_audit.8.html

Thanks,
Is there a way to get only "unlink" entries in the logs? I enabled the audit but if I don't limit the operations the log will be huge.

 

[m0nkey_]

You might want to consider vfs_full_audit if you want to limit the events you wish to capture.

https://www.samba.org/samba/docs/man/manpages-3/vfs_full_audit.8.html

vfs_full_audit:success = LIST

LIST is a list of VFS operations that should be recorded if they succeed. Operations are specified using the names listed above. Operations can be unset by prefixing the names with "!".

 

[Fabio Rodrigues]

You might want to consider vfs_full_audit if you want to limit the events you wish to capture.

https://www.samba.org/samba/docs/man/manpages-3/vfs_full_audit.8.html

Thanks again, I'm adding this parameter "full_audit:success = unlink" in the "Auxiliary Parameters" field but I'm still seeing all the operations in the log. Am I missing anything?

 

[Fabio Rodrigues]

Thanks again, I'm adding this parameter "full_audit:success = unlink" in the "Auxiliary Parameters" field but I'm still seeing all the operations in the log. Am I missing anything?

Any ideas?

 

[anodos]

Any ideas?

Post contents of /usr/local/etc/smb4.conf

 

[Fabio Rodrigues]

Post contents of /usr/local/etc/smb4.conf

This is the share I'm trying to configure VFS:

Code:

[Images]
	path = /mnt/volume1/dataset1
	printable = no
	veto files = /.snapshot/.windows/.mac/.zfs/
	writeable = yes
	browseable = yes
	vfs objects = zfs_space zfsacl full_audit aio_pthread
	hide dot files = yes
	guest ok = no
	nfs4:mode = special
	nfs4:acedup = merge
	nfs4:chown = true
	zfsacl:acesort = dontcare
	full_audit:success = unlink

 

[anodos]

This is the share I'm trying to configure VFS:

Code:

[Images]
	path = /mnt/volume1/dataset1
	printable = no
	veto files = /.snapshot/.windows/.mac/.zfs/
	writeable = yes
	browseable = yes
	vfs objects = zfs_space zfsacl full_audit aio_pthread
	hide dot files = yes
	guest ok = no
	nfs4:mode = special
	nfs4:acedup = merge
	nfs4:chown = true
	zfsacl:acesort = dontcare
	full_audit:success = unlink

full_audit:failure defaults to "ALL". This means that with your above setup, samba will log all failed VFS operations. Try adding something like full_audit:failure = unlink.

 

[Fabio Rodrigues]

full_audit:failure defaults to "ALL". This means that with your above setup, samba will log all failed VFS operations. Try adding something like full_audit:failure = unlink.

Thanks anodos, that works!
What about the format of the entry in the log, is it possible to add the full path to the file that was deleted? Right now I'm seeing something like that:

Code:

Jul 25 15:15:05 freenas smbd_audit: domain\username|1.2.3.4|unlink|ok|Tulips.jpg

 

[anodos]

Check out the "Variable Substitutions" section of the smb.conf manpage. For example, full_audit:prefix = "%u|%I|%P". I'm not sure if %P will give you what you want (it's the path to the root directory of the current service, i.e. share). Perhaps "%u|%I|%$(path)". I personally don't use full_audit and so I don't know the details of how to achieve this. :)