How do you log SMB activity?

[Flupp]

I have a Graylog server that I use to forward syslog from my other servers (a few synology, proxmox, etc). I'd like to get specific SMB events to also be recorded and sent to my graylog server, specifically for file deletion, access, modification.

I've already forwarded the syslog to my Graylog, and can confirm that works fine but I'm not seeing any SMB activity in it. I've seen a few posts from a few years ago talking about options that no longer exist in the GUI.

 

[winnielinnie]

I've seen a few posts from a few years ago talking about options that no longer exist in the GUI.

You don't see this option in your GUI?

 

[Flupp]

Hi,

I do see that, I had set that to Normal before that doesn't seem to be generating file access related logs. All I'm after is seeing which AD user accessed, created, deleted or modified a file.

 

[winnielinnie]

Maybe the SMB service needs to be restarted for it to take effect?

Did you try "Full" as the logging level?

 

[winnielinnie]

Here we go. You need to use the "audit" module:

You can use the "Auxiliary Parameters" under a particular Share to add these options. (Not sure it can be done globally.)

An example:

Code:

vfs objects = full_audit
full_audit:failure = mkdir rename rmdir read open pwrite write unlink
full_audit:success = mkdir rename rmdir read open pwrite write unlink
full_audit:prefix = %u|%I|%S

 

[Flupp]

I found something similar that got me halfway there, although I don't see why I need to add zfsacl and ixnas so will try without them as well on this test SMB share.

Code:

vfs objects=full_audit zfsacl ixnas
full_audit:prefix=%u|%I|%m|%S
full_audit:priority=notice
full_audit:success=pread pwrite mkdirat renameat unlinkat open

Are you familar with the VFS options? Not sure what the difference is between read and pread, or rename and renameat? I'm going through the options atm trying to find one for file modifications.

 

[winnielinnie]

Are you familar with the VFS options?

When devs name things, expect to be confused.

I know "unlink" is when a file is deleted.

The "p" in front of pwrite and pread is if a position is seeked within the file prior to the operation.

EDIT: I think yours looks good to go. Let us know how it works.

EDIT 2: You can also add an option to log all "failed attempts" of the same operations:

Code:

full_audit:failure=pread pwrite mkdirat renameat unlinkat open

 

[Flupp]

vfs objects=full_audit ixnas
full_audit:prefix=%u|%I|%m
full_audit:priority=notice
full_audit:success=mkdirat renameat unlinkat

So with this, I'm able to log creating / renaming / making of dirs and files which is great. I'd like to also log file modifications but can't seem to find the VFS option for it. Wish the samba docs had a brief description of each option :(