redhat 7.2 with samba 4.2.3 full audit
I am having problem where the samba audit is getting/recording too much info and some times it duplicates.
Feb 3 11:58:43 server smbd_audit: nasaudit|MYDOMAIN\abar|192.168.1.168|it02|stat|ok|.
Feb 3 11:58:43 server smbd_audit: nasaudit|MYDOMAIN\abar|192.168.1.168|it02|stat|ok|.
Feb 3 11:58:43 server smbd_audit: nasaudit|MYDOMAIN\abar|192.168.1.168|it02|sys_acl_get_file|ok|.
Feb 3 11:58:43 server smbd_audit: nasaudit|MYDOMAIN\abar|192.168.1.168|it02|sys_acl_get_file|ok|.
Feb 3 11:58:43 server smbd_audit: nasaudit|MYDOMAIN\abar|192.168.1.168|it02|get_nt_acl|ok|.
Feb 3 11:58:43 server smbd_audit: nasaudit|MYDOMAIN\abar|192.168.1.168|it02|get_alloc_size|ok|0
Feb 3 11:58:43 server smbd_audit: nasaudit|MYDOMAIN\abar|192.168.1.168|it02|kernel_flock|ok|SOA3616.tmp
Feb 3 11:58:43 server smbd_audit: nasaudit|MYDOMAIN\abar|192.168.1.168|it02|stat|ok|.
Feb 3 11:58:43 server smbd_audit: nasaudit|MYDOMAIN\abar|192.168.1.168|it02|realpath|ok|.
Feb 3 11:58:43 server smbd_audit: nasaudit|MYDOMAIN\abar|192.168.1.168|it02|connectpath|ok|.
Feb 3 11:58:43 server smbd_audit: nasaudit|MYDOMAIN\abar|192.168.1.168|it02|file_id_create|ok|fd03:83:0
Feb 3 11:58:43 server smbd_audit: nasaudit|MYDOMAIN\abar|192.168.1.168|it02|stat|ok|.
Feb 3 11:58:43 server smbd_audit: nasaudit|MYDOMAIN\abar|192.168.1.168|it02|sys_acl_get_file|ok|.
Feb 3 11:58:43 server smbd_audit: nasaudit|MYDOMAIN\abar|192.168.1.168|it02|sys_acl_get_file|ok|.
Feb 3 11:58:43 server smbd_audit: nasaudit|MYDOMAIN\abar|192.168.1.168|it02|get_nt_acl|ok|.
Feb 3 11:58:43 server smbd_audit: nasaudit|MYDOMAIN\abar|192.168.1.168|it02|stat|ok|.
Feb 3 11:58:43 server smbd_audit: nasaudit|MYDOMAIN\abar|192.168.1.168|it02|sys_acl_get_file|ok|.
Feb 3 11:58:43 server smbd_audit: nasaudit|MYDOMAIN\abar|192.168.1.168|it02|sys_acl_get_file|ok|.
Feb 3 11:58:43 server smbd_audit: nasaudit|MYDOMAIN\abar|192.168.1.168|it02|get_nt_acl|ok|.
Feb 3 11:58:43 server smbd_audit: nasaudit|MYDOMAIN\abar|192.168.1.168|it02|file_id_create|ok|fd03:83:0
Feb 3 11:58:43 server smbd_audit: nasaudit|MYDOMAIN\abar|192.168.1.168|it02|stat|ok|.
Feb 3 11:58:43 server smbd_audit: nasaudit|MYDOMAIN\abar|192.168.1.168|it02|create_file|ok|0x100080|file|open|.
Feb 3 11:58:43 server smbd_audit: nasaudit|MYDOMAIN\abar|192.168.1.168|it02|stat|ok|.
Feb 3 11:58:43 server smbd_audit: nasaudit|MYDOMAIN\abar|192.168.1.168|it02|sys_acl_get_file|ok|.
Feb 3 11:58:43 server smbd_audit: nasaudit|MYDOMAIN\abar|192.168.1.168|it02|sys_acl_get_file|ok|.
Feb 3 11:58:43 server smbd_audit: nasaudit|MYDOMAIN\abar|192.168.1.168|it02|get_nt_acl|ok|.
Feb 3 11:58:43 server smbd_audit: nasaudit|MYDOMAIN\abar|192.168.1.168|it02|get_alloc_size|ok|0
I have update the samba conf to reduce the info it records but it dose not seem to work.
My samba conf - details entered relating to samba audit as follow
[global]
.
.
syslog = 0
log file = /var/log/samba/%m
Log level = 0 vfs:0
max log size = 0
[admin]
Comment = General Global Share
path = /shares/admin
browsable = yes
writeable = yes
read only = no
vfs objects = full_audit full_audit:prefix = nasaudit|%u|%I|%m full_audit:success = mkdir rmdir pwrite ulink rename full_audit:failure = mkdir rmdir pwrite ulink rename
nt acl support = yes
inherit acls = yes
inherit owner = yes
inherit permissions = yes
map acl inherit = yes
store dos attributes = Yes
guest ok = no create mask = 0777 directory mask =0777 users = @"Domain Users","@Domain Admins"
mkdir rmdir pwrite ulink rename
Responses