samba开启用户审计_samba出用户日志

1./etc/samba/smb.conf添加如下配置:

global：

[global]
	workgroup = SAMBA
	security = user
 
	passdb backend = tdbsam
 
	printing = cups
	printcap name = cups
	load printers = yes
	cups options = raw
	log file = /var/log/samba/%m.log
	log level = 5 vfs:10 # 定义日志级别
	vfs object = vfs
	vfs object = full_audit #开启审计
	full_audit:prefix = %u|%I|%S
	full_audit:failure = connect chdir #审计失败的动作
	full_audit:success = mkdir rmdir rename unlink pwrite_send pwrite_recv pread_recv pread_send  #审计成功的动作
	#full_audit:success =     mkdir rmdir rename unlink pwrite pread sendfile recvfile
	full_audit:facility = local5 #审计日志保存位置设置
	full_audit:priority = notice #定义日志级别

共享目录：

[share]
	comment = share
	path = /home/share
	public = no
	writable = yes
	vfs object = vfs
	vfs object = full_audit #该目录开启审计

2.日志输出设置：/etc/rsyslog.conf

local5.*						/var/log/samba/audit.log

3.审计日志如下：

[root@lrh001 ~]# tail -f /var/log/samba/audit.log 
May 17 15:44:09 lrh001 smbd_audit: lrh|192.170.1.143|share|pread_send|ok|/home/share/jishubu/1.txt
May 17 15:44:09 lrh001 smbd_audit: lrh|192.170.1.143|share|pread_recv|ok|/home/share/jishubu/1.txt
May 17 15:44:14 lrh001 smbd_audit: lrh|192.170.1.143|share|pread_send|ok|/home/share/jishubu/新建文本文档 (2).txt
May 17 15:44:14 lrh001 smbd_audit: lrh|192.170.1.143|share|pread_recv|ok|/home/share/jishubu/新建文本文档 (2).txt
May 17 15:44:23 lrh001 smbd_audit: lrh|192.170.1.143|share|pread_send|ok|/home/share/yewu/yewu.txt
May 17 15:44:23 lrh001 smbd_audit: lrh|192.170.1.143|share|pread_recv|ok|/home/share/yewu/yewu.txt
May 17 15:44:31 lrh001 smbd_audit: lrh|192.170.1.143|share|pread_send|ok|/home/share/yewu/yewu.txt
May 17 15:44:31 lrh001 smbd_audit: lrh|192.170.1.143|share|pread_recv|ok|/home/share/yewu/yewu.txt
May 17 15:51:43 lrh001 smbd_audit: lrh|192.170.1.143|share|pread_send|ok|/home/share/yewu/yewu.txt
May 17 15:51:43 lrh001 smbd_audit: lrh|192.170.1.143|share|pread_recv|ok|/home/share/yewu/yewu.txt