1VFS_FULL_AUDIT(8) System Administration tools VFS_FULL_AUDIT(8)
2
6 vfs_full_audit - record Samba VFS operations in the system log
7
9 vfs objects = full_audit
10
12 This VFS module is part of the samba(7) suite.
13 The vfs_full_audit VFS module records selected client operations to the
15 system log using syslog(3).
16 vfs_full_audit is able to record the complete set of Samba VFS
18 operations:
19 aio_force
20 audit_file
21 brl_lock_windows
22 brl_unlock_windows
23 chdir
24 close
25 closedir
26 connect
27 connectpath
28 create_dfs_pathat
29 create_file
30 disconnect
31 disk_free
32 durable_cookie
33 durable_disconnect
34 durable_reconnect
35 fallocate
36 fchflags
37 fchmod
38 fchown
39 fcntl
40 fdopendir
41 fget_compression
42 fget_dos_attributes
43 fget_nt_acl
44 fgetxattr
45 file_id_create
46 filesystem_sharemode
47 flistxattr
48 fntimes
49 freaddir_attr
50 fremovexattr
51 fs_capabilities
52 fsctl
53 fset_dos_attributes
54 fset_nt_acl
55 fsetxattr
56 fs_file_id
57 fstat
58 fstatat
59 fstreaminfo
60 fsync_recv
61 fsync_send
62 ftruncate
63 get_alloc_size
64 get_dfs_referrals
65 get_dos_attributes_recv
66 get_dos_attributes_send
67 getlock
68 get_quota
69 get_real_filename
70 get_real_filename_at
71 get_shadow_copy_data
72 getwd
73 getxattrat_recv
74 getxattrat_send
75 is_offline
76 lchown
77 linkat
78 linux_setlease
79 lock
80 lseek
81 lstat
82 mkdirat
83 mknodat
84 ntimes
85 offload_read_recv
86 offload_read_send
87 offload_write_recv
88 offload_write_send
89 open
90 openat
91 parent_pathname
92 pread
93 pread_recv
94 pread_send
95 pwrite
96 pwrite_recv
97 pwrite_send
98 read
99 read_dfs_pathat
100 readdir
101 readlinkat
102 realpath
103 recvfile
104 removexattr
105 renameat
106 rewinddir
107 seekdir
108 sendfile
109 set_compression
110 set_offline
111 set_quota
112 snap_check_path
113 snap_create
114 snap_delete
115 stat
116 statvfs
117 strict_lock_check
118 symlinkat
119 sys_acl_blob_get_fd
120 sys_acl_delete_def_fd
121 sys_acl_get_fd
122 sys_acl_set_fd
123 telldir
124 translate_name
125 unlinkat
126 write
127 In addition to these operations, vfs_full_audit recognizes the special
129 operation names "all" and "none ", which refer to all the VFS
130 operations and none of the VFS operations respectively.
131 If an unknown operation name is used (for example an operation name is
133 miss-spelled), the module will fail to load and clients will be refused
134 connections to a share using this module.
135 vfs_full_audit records operations in fixed format consisting of fields
137 separated by '|' characters. The format is:
138 smbd_audit: PREFIX|OPERATION|RESULT|FILE
140 The record fields are:
143 • PREFIX - the result of the full_audit:prefix string after
145 variable substitutions
146 • OPERATION - the name of the VFS operation
148 • RESULT - whether the operation succeeded or failed
150 • FILE - the name of the file or directory the operation was
152 performed on
153 This module is stackable.
156
158 full_audit:prefix = STRING
159 Prepend audit messages with STRING. STRING is processed for
160 standard substitution variables listed in smb.conf(5). The default
161 prefix is "%u|%I".
162 full_audit:success = LIST
164 LIST is a list of VFS operations that should be recorded if they
165 succeed. Operations are specified using the names listed above.
166 Operations can be unset by prefixing the names with "!". The
167 default is none operations.
168 full_audit:failure = LIST
170 LIST is a list of VFS operations that should be recorded if they
171 failed. Operations are specified using the names listed above.
172 Operations can be unset by prefixing the names with "!". The
173 default is none operations.
174 full_audit:facility = FACILITY
176 Log messages to the named syslog(3) facility.
177 full_audit:priority = PRIORITY
179 Log messages with the named syslog(3) priority.
180 full_audit:syslog = true/false
182 Log messages to syslog (default) or as a debug level 1 message.
183 full_audit:log_secdesc = true/false
185 Log an sddl form of the security descriptor coming in when a client
186 sets an acl. Defaults to false.
187
189 Log file and directory open operations on the [records] share using the
190 LOCAL7 facility and ALERT priority, including the username and IP
191 address. Logging excludes the open VFS function on failures:
192 [records]
194 path = /data/records
195 vfs objects = full_audit
196 full_audit:prefix = %u|%I
197 full_audit:success = open opendir
198 full_audit:failure = all !open
199 full_audit:facility = LOCAL7
200 full_audit:priority = ALERT
201
203 This man page is part of version 4.18.9 of the Samba suite.
204
206 The original Samba software and related utilities were created by
207 Andrew Tridgell. Samba is now developed by the Samba Team as an Open
208 Source project similar to the way the Linux kernel is developed.
209Samba 4.18.9 11/30/2023 VFS_FULL_AUDIT(8)