1VFS_FULL_AUDIT(8) System Administration tools VFS_FULL_AUDIT(8)
2
3
4
6 vfs_full_audit - record Samba VFS operations in the system log
7
9 vfs objects = full_audit
10
12 This VFS module is part of the samba(7) suite.
13
14 The vfs_full_audit VFS module records selected client operations to the
15 system log using syslog(3).
16
17 vfs_full_audit is able to record the complete set of Samba VFS
18 operations:
19 aio_cancel
20 aio_error
21 aio_fsync
22 aio_read
23 aio_return
24 aio_suspend
25 aio_write
26 chdir
27 chflags
28 chmod
29 chmod_acl
30 chown
31 close
32 closedir
33 connect
34 disconnect
35 disk_free
36 fchmod
37 fchmod_acl
38 fchown
39 fget_nt_acl
40 fgetxattr
41 flistxattr
42 fremovexattr
43 fset_nt_acl
44 fsetxattr
45 fstat
46 fsync
47 ftruncate
48 get_nt_acl
49 get_quota
50 get_shadow_copy_data
51 getlock
52 getwd
53 getxattr
54 kernel_flock
55 lgetxattr
56 link
57 linux_setlease
58 listxattr
59 llistxattr
60 lock
61 lremovexattr
62 lseek
63 lsetxattr
64 lstat
65 mkdir
66 mknod
67 open
68 opendir
69 pread
70 pwrite
71 read
72 readdir
73 readlink
74 realpath
75 removexattr
76 rename
77 rewinddir
78 rmdir
79 seekdir
80 sendfile
81 set_nt_acl
82 set_quota
83 setxattr
84 stat
85 statvfs
86 symlink
87 sys_acl_add_perm
88 sys_acl_clear_perms
89 sys_acl_create_entry
90 sys_acl_delete_def_file
91 sys_acl_free_acl
92 sys_acl_free_qualifier
93 sys_acl_free_text
94 sys_acl_get_entry
95 sys_acl_get_fd
96 sys_acl_get_file
97 sys_acl_get_perm
98 sys_acl_get_permset
99 sys_acl_get_qualifier
100 sys_acl_get_tag_type
101 sys_acl_init
102 sys_acl_set_fd
103 sys_acl_set_file
104 sys_acl_set_permset
105 sys_acl_set_qualifier
106 sys_acl_set_tag_type
107 sys_acl_to_text
108 sys_acl_valid
109 telldir
110 unlink
111 utime
112 write
113
114 In addition to these operations, vfs_full_audit recognizes the special
115 operation names "all" and "none ", which refer to all the VFS
116 operations and none of the VFS operations respectively.
117
118 vfs_full_audit records operations in fixed format consisting of fields
119 separated by ´|´ characters. The format is:
120
121 smbd_audit: PREFIX|OPERATION|RESULT|FILE
122
123
124 The record fields are:
125
126 · PREFIX - the result of the full_audit:prefix string after variable
127 substitutions
128
129 · OPERATION - the name of the VFS operation
130
131 · RESULT - whether the operation succeeded or failed
132
133 · FILE - the name of the file or directory the operation was
134 performed on
135
136
137 This module is stackable.
138
140 vfs_full_audit:prefix = STRING
141 Prepend audit messages with STRING. STRING is processed for
142 standard substitution variables listed in smb.conf(5). The default
143 prefix is "%u|%I".
144
145 vfs_full_audit:success = LIST
146 LIST is a list of VFS operations that should be recorded if they
147 succeed. Operations are specified using the names listed above.
148
149 vfs_full_audit:failure = LIST
150 LIST is a list of VFS operations that should be recorded if they
151 failed. Operations are specified using the names listed above.
152
153 full_audit:facility = FACILITY
154 Log messages to the named syslog(3) facility.
155
156 full_audit:priority = PRIORITY
157 Log messages with the named syslog(3) priority.
158
160 Log file and directory open operations on the [records] share using the
161 LOCAL7 facility and ALERT priority, including the username and IP
162 address:
163
164 [records]
165 path = /data/records
166 vfs objects = full_audit
167 full_audit:prefix = %u|%I
168 full_audit:success = open opendir
169 full_audit:failure = all
170 full_audit:facility = LOCAL7
171 full_audit:priority = ALERT
172
174 This man page is correct for version 3.0.25 of the Samba suite.
175
177 The original Samba software and related utilities were created by
178 Andrew Tridgell. Samba is now developed by the Samba Team as an Open
179 Source project similar to the way the Linux kernel is developed.
180
181
182
183Samba 3.5 08/02/2011 VFS_FULL_AUDIT(8)