How can i know who/when/do what on the server

[freenasbbs]

Hello
Freenas version:9.2
File system:zfs
Share:Cifs
Are there some log files can record :who/when/do what(read/write/excute/delete…) on freenas server?
Somebody ask me who delete that file?
I don't know,because that file can be read/modify/delete for more than 2 users

Thank you

 

[cyberjock]

You can enable the cifs recycle bin feature. If someone deletes a file it'll go to the .recycle/usernamethatdeletedit/original_file_structure folder. Then you'll know the username that deleted it(as well as be able to recover it).

 

[freenasbbs]

Thank you!
I can recover files from zfs snapshots.
I just want to know who deletes files (or modify files / or move files from this folder to another folder) .

 

[cyberjock]

And I just told you how......

We've seen this question asked before.. the recycle bin rocks!

 

[Dusan]

And I just told you how......

We've seen this question asked before.. the recycle bin rocks!

But that won't tell him who modified/moved the files...
@freenasbbs you should look at the vfs_audit or vfs_full_audit samba module. Check this post for more information about vfs_full_audit: User activity log
vfs_audit is simpler and should be probably enough for your needs: https://www.samba.org/samba/docs/man/manpages-3/vfs_audit.8.html
Also check the smb.conf generated by the GUI. It already includes some vfs objects (zfsacl, shadow copies, recycle bin, ...). When adding the vfs objects auxiliary parameter make sure to include the default modules (in the same order).

 

[cyberjock]

Yes, it does. I don't understand why I have to explain this in detail every time. :(

If /mnt/tank is shared as CIFS sharename "tank" and my username (cyberjock) deleted file /mnt/tank/folder1/file1.doc the file will be moved from /mnt/tank/folder1/file1.doc to /mnt/tank/.recycle/cyberjock/folder1/file1.doc.

Notice that my username is in the deleted file's new directory structure. So you know precisely who deleted the file.

As for editing a file, that gets messy. Some of the vfs objects and some of the modules do not work properly in FreeNAS (hence I've been waiting patiently for Samba 4). The one that took some work to identify was the filename organizing(alphabetic sorting). Then the devs figured out it was more than just 1 module that was broken and the answer was 'wait until Samba 4'. :(

 

[Dusan]

Yes, it does. I don't understand why I have to explain this in detail every time. :(

If /mnt/tank is shared as CIFS sharename "tank" and my username (cyberjock) deleted file /mnt/tank/folder1/file1.doc the file will be moved from /mnt/tank/folder1/file1.doc to /mnt/tank/.recycle/cyberjock/folder1/file1.doc.

I know that, there's no need to explain the basics to me. Please read my post again. I was explicitly speaking about "modified/moved" moved files as your previous post made it seem that the recycle bin also helps in those cases. (The OP said that he knows about and uses recycle bin, but he also want to know who changed/moved files and you responded that recycle bin rocks. Huh ???)

Some of the vfs objects and some of the modules do not work properly in FreeNAS (hence I've been waiting patiently for Samba 4).

If you check the thread I linked you'll find that the guy managed to get vfs_full_audit to work based on my instructions. vfs_audit is even simpler so there is no reason why it should not work (and even if it doesn't then the OP can use vfs_full_audit).

 

[cyberjock]

Ah, my bad. I thought you were saying my recycle bin didn't work. Sorry!

 

[freenasbbs]

thanks all!
this is exactly what i need,thanks!
now i have added these setting into "Auxiliary parameters"

vfs objects = full_audit
full_audit:prefix = %u|%I|%m|%S
full_audit:success = mkdir rmdir write rename
full_audit:failure = none
full_audit:facility = LOCAL7
full_audit:priority = ALERT

cifs log level is full ,then i restart cifs

but unfortunately，it seems doesn't work。

after i create some files on the share folder, then vi /var/log/messages ,but i can't find any information for "create files ",by the way ,it shows some wrong message :smbd_do_qfsinfo: not an allowed info level (0x102) on IPC$

 

[Dusan]

vfs objects = full_audit
full_audit:prefix = %u|%I|%m|%S
full_audit:success = mkdir rmdir write rename
full_audit:failure = none
full_audit:facility = LOCAL7
full_audit:priority = ALERT

after i create some files on the share folder, then vi /var/log/messages

Two things:

• Do not start with fully configured module and wonder why it doesn't work. Start simple (just the module) verify that it works and then add options. I think the problem in your case is the local7.alert log facility/priority. If you remove those two lines the default user.notice will get logged. If you want to change it first check in /etc/syslog.conf what messages are actually logged in FreeNAS.
• You ignored my instructions about checking smb.conf for already existing vfs modules. Your vfs objects line should contain at least "zfsacl full_audit". See this ticket for details: https://bugs.freenas.org/issues/2288

 

[freenasbbs]

thank you for your help.
i am sorry ,i just make a mistake before . the settings i set before just for cifs server,but not for a cifs share

now i changed it and it works ok. thank you very much!

another question,my client OS is chinese windows xp.. many files name are chinese..
but freenas shell can not support chinese,i can't recognize the exactly file name from /var/log/messages
just as a user(jsb1) create a "new folder"(default it's name is chinese) under directory aaa..
/var/log/messages shows

jsb1|192.168.1.102|pc-20130504oabz|juan|mkdir|ok|aaa/\xe6M-^V\xb0\xe5\xbb\xba\xe6M-^VM-^G\xe4\xbb\xb6\xe5\xa4\xb9

maybe "\xe6M-^V\xb0\xe5\xbb\xba\xe6M-^VM-^G\xe4\xbb\xb6\xe5\xa4\xb9" means "newfolder",

are there any way to make freenas shell support chinese? thank you~

 

[HolyK]

Well ... i don't thing that this is possible in native way, but check this, maybe you will be able to make it work somehow .

 

[freenasbbs]

i found some documents for how to do it ,such as change the /etc/login.conf

but login.conf will be reset after every reboot.
see this thread
http://forums.freenas.org/threads/change-user-locale-to-french.17407/#post-93814

 

[Dusan]

but login.conf will be reset after every reboot.

You do not need to edit the system wide login.conf. Just create a new user end experiment with ~/.login_conf (the .login_conf file in his home directory).
(This won't work with roots home directory as the one is also on the read only root filesystem.)

 

[freenasbbs]

thank you,Dusan!
can you give me more detail?
i sorry, maybe i don't understand what you means or there are some problems.
i create a new user(user1) on webgui page and set his home directory "/mnt/sfile/user1"
after reboot freenas,i can't find any file in user1's home directory
and i can't find any files by command "find / -name .login_conf"
i only find two login.conf by command "find / -name login.conf" ,but they are will be reset after reboot.

thanks for your help!

 

[Dusan]

~/.login_conf is not created automatically. You have to create it yourself and for that user it will override the default one (/etc/login.conf). Quoting the documentation: http://www.freebsd.org/cgi/man.cgi?query=login.conf

In FreeBSD, users may individually create a file called .login_conf in their home directory using the same format, consisting of a single entry with a record id of "me". If present, this file is used by login(1) to set user-defined environment settings which override those specified in the system login capabilities database.

 

[freenasbbs]

i learned one more thing.
i can type chinese on putty shell now , very happy。thank you ,thank you!

but it seems can't help me to read messages yet。it's (/var/log/messages) contents(chinese char) still not show correctly.

is the log file (/var/log/messages) be writed by system(or user: root) and used another charset (not my settings for new user inorder to show chinese) ?

so,change user's /.login_conf did not help me to read /var/log/messages,the problem still exist.