Hello Team,

Please note, I has implemented full monitoring of user(s) of samba at Bry-air wh

ich can be monitored via samba-audit.log in /var/log directory. Also in addition
to it i have added sticky bit permission to home directory so that user can mod
ified only their files respectively.
Amit Sir- Please document this in wiki for future reference.
STEPS:
1. Add the vfs objects section in /etc/samba/smb.conf
-----------[global]
... other stuff ...
# Full audit
vfs object = full_audit
full_audit:prefix = %u|%I|%m|%S
full_audit:success = mkdir rmdir read pread write pwrite rename unlink
full_audit:failure = connect
full_audit:facility = local7
full_audit:priority = notice
2. Edit the file /etc/rsyslog.d/50-default.conf to don't send the audit log to /
var/log/syslog:
-------------# Change this line
*.*;auth,authpriv.none
-/var/log/syslog
# To
*.*;auth,authpriv.none,local7.none -/var/log/syslog
3. Then add the local7 log faciliy and put messages in /var/log/samba-audit.log:
-------------# Add this line
local7.notice
/var/log/samba-audit.log
4. To totate the logs weekly add this section to /etc/logrotate.d/samba:
-------------/var/log/samba-audit.log {
weekly
missingok
rotate 7
postrotate
reload rsyslog > /dev/null 2>&1 || true
endscript
compress
notifempty
}
5. Restart everything:
-----------service rsyslog restart
service smbd restart