I followed this description on how to enable audit for Samba (entry of Aug 10, 2009) and wanted to get all additionally enabled logging in a special log file (/var/log/samba/log.audit). The mentioned line local7.* /var/log/samba/log.audit I placed at the end of my existing /etc/rsyslog.conf file. It seemed a bit out of place there, but after restarting everything, the mentioned file was created, presumably by the syslog daemon, so I assumed this was working.
But it stayed at a size of 0 bytes. After creation of the file, nothing was logged there.
It took me some time but then I found that all logging was done into the default syslog file (/var/log/syslog).
I guess the config line in /etc/rsyslog.conf is correct, but somehow the way it was supposed to be addressed in the /etc/samba/smb.conf is not working.
I repeat in short what the blog above suggested to do:
Add the lines
vfs objects = full_audit
full_audit:prefix = %u|%I|%m|%S
full_audit:success = mkdir rename unlink rmdir pwrite
full_audit:failure = none
full_audit:facility = local7
full_audit:priority = NOTICE
to the existing smb.conf and add the line
local7.* /var/log/samba/log.audit
to the syslog.conf (I took my existing /etc/rsyslog.conf for this).
Can anybody tell me how to fix this so that the logging is done into the intended file /var/log/samba/log.audit?
I had the same problem until I changed the output log file location to
/var/loginstead of/var/log/samba. I'm not sure why, but it seemsrsyslogon my system won't write a facility to a file outside/var/log.Hope that helps, and if anyone knows how to configure
ryslogto allow other locations it would be nice to know.The
/var/log/samba/log.auditfile must havesyslogas the owning user, andadmas the owning group.If it is not like this, run: