Prev: SAMBA PDC LOGIN - UPN (user@realm) to DOM\USER
Next: [Samba] Adding Domain User Accounts to Windows 7 Clients (Samba 3.4.8 PDC)
From: Jeremy Allison on 15 Jun 2010 13:10
On Tue, Jun 15, 2010 at 10:04:57AM -0500, Darren Hildebrand wrote:
> I'm trying to set up a samba server to audit only the file operations
> that I care about, which are create, modify, delete, and rename (for
> files and folders). I've got the full_audit vfs module working well,
> except that I haven't been able to figure out what to set it to log (in
> the "full_audit:success" setting) to include file creation and
> modification. If I log pwrite, then it floods the logs with many
> entries for every single file write, especially when writing large
> files. I get almost 200 messages when writing a 10 MB file. Is there
> something I can log to make it write a single entry on file creation or
> modification? "Write" doesn't seem to log anything, but pwrite is far
> too verbose for my needs.

We don't use "write" anymore - all writes go through pwrite.
You want to log "open", not "pwrite".

Jeremy.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: Jeremy Allison on 15 Jun 2010 13:30
On Tue, Jun 15, 2010 at 12:20:34PM -0500, Darren Hildebrand wrote:
> On 15/06/2010 12:09 PM, Jeremy Allison wrote:
>> On Tue, Jun 15, 2010 at 10:04:57AM -0500, Darren Hildebrand wrote:
>>
>>> I'm trying to set up a samba server to audit only the file operations
>>> that I care about, which are create, modify, delete, and rename (for
>>> files and folders). I've got the full_audit vfs module working well,
>>> except that I haven't been able to figure out what to set it to log (in
>>> the "full_audit:success" setting) to include file creation and
>>> modification. If I log pwrite, then it floods the logs with many
>>> entries for every single file write, especially when writing large
>>> files. I get almost 200 messages when writing a 10 MB file. Is there
>>> something I can log to make it write a single entry on file creation or
>>> modification? "Write" doesn't seem to log anything, but pwrite is far
>>> too verbose for my needs.
>>>
>> We don't use "write" anymore - all writes go through pwrite.
>> You want to log "open", not "pwrite".
>>
>> Jeremy.
>>
>
> Thanks, it looks like open is a lot closer to what I'm looking for.
> Just one more question with that - it looks like "open" logs reads and
> writes, where I'm really just concerned about writes. I can see that
> they're distinguished with the "r" and "w" near the end of the log line,
> but is there any way to log only the "w" entries? I'm sure I could come
> up with a way to filter it using syslog as well, but I was hoping to be
> able to not have them sent to syslog in the first place if there's a way
> to do that.

Not without code changes to the audit module I'm afraid. What
you want is to log all opens with the O_CREAT flag set, but
the audit module isn't specific enough to do that. You'll have
to filter post logging I'm afraid (or change the "audit_open"
call to check for the O_CREAT flag in the "flags" variable
before logging).

Jeremy.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: Darren Hildebrand on 15 Jun 2010 13:30
On 15/06/2010 12:09 PM, Jeremy Allison wrote:
> On Tue, Jun 15, 2010 at 10:04:57AM -0500, Darren Hildebrand wrote:
>
>> I'm trying to set up a samba server to audit only the file operations
>> that I care about, which are create, modify, delete, and rename (for
>> files and folders). I've got the full_audit vfs module working well,
>> except that I haven't been able to figure out what to set it to log (in
>> the "full_audit:success" setting) to include file creation and
>> modification. If I log pwrite, then it floods the logs with many
>> entries for every single file write, especially when writing large
>> files. I get almost 200 messages when writing a 10 MB file. Is there
>> something I can log to make it write a single entry on file creation or
>> modification? "Write" doesn't seem to log anything, but pwrite is far
>> too verbose for my needs.
>>
> We don't use "write" anymore - all writes go through pwrite.
> You want to log "open", not "pwrite".
>
> Jeremy.
>

Thanks, it looks like open is a lot closer to what I'm looking for.
Just one more question with that - it looks like "open" logs reads and
writes, where I'm really just concerned about writes. I can see that
they're distinguished with the "r" and "w" near the end of the log line,
but is there any way to log only the "w" entries? I'm sure I could come
up with a way to filter it using syslog as well, but I was hoping to be
able to not have them sent to syslog in the first place if there's a way
to do that.

Thanks.

Darren
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
 | 
Pages: 1
Prev: SAMBA PDC LOGIN - UPN (user@realm) to DOM\USER
Next: [Samba] Adding Domain User Accounts to Windows 7 Clients (Samba 3.4.8 PDC)