vfs_full_audit(8) vfs_full_audit(8)
NAME
vfs_full_audit - record Samba VFS operations in the system log
SYNOPSIS
vfs objects = full_audit
DESCRIPTION
This VFS module is part of the samba(7) suite. The vfs_full_audit VFS module records selected client operations to the system log using syslog(3). vfs_full_audit is able to record the complete set of Samba VFS opera- tions: aio_cancel aio_error aio_fsync aio_read aio_return aio_suspend aio_write chdir chflags chmod chmod_acl chown close closedir connect disconnect disk_free fchmod fchmod_acl fchown fget_nt_acl fgetxattr flistxattr fremovexattr fset_nt_acl fsetxattr fstat fsync ftruncate get_nt_acl get_quota get_shadow_copy_data getlock getwd getxattr kernel_flock lgetxattr link linux_setlease listxattr llistxattr lock lremovexattr lseek lsetxattr lstat mkdir mknod open opendir pread pwrite read readdir readlink realpath removexattr rename rewinddir rmdir seekdir sendfile set_nt_acl set_quota setxattr stat statvfs symlink sys_acl_add_perm sys_acl_clear_perms sys_acl_create_entry sys_acl_delete_def_file sys_acl_free_acl sys_acl_free_qualifier sys_acl_free_text sys_acl_get_entry sys_acl_get_fd sys_acl_get_file sys_acl_get_perm sys_acl_get_permset sys_acl_get_qualifier sys_acl_get_tag_type sys_acl_init sys_acl_set_fd sys_acl_set_file sys_acl_set_permset sys_acl_set_qualifier sys_acl_set_tag_type sys_acl_to_text sys_acl_valid telldir unlink utime write In addition to these operations, vfs_full_audit recognizes the special operation names "all" and "none ", which refer to all the VFS opera- tions and none of the VFS operations respectively. vfs_full_audit records operations in fixed format consisting of fields separated by '|' characters. The format is: smbd_audit: PREFIX|OPERATION|RESULT|FILE The record fields are: o PREFIX - the result of the full_audit:prefix string after variable substitutions o OPERATION - the name of the VFS operation o RESULT - whether the operation succeeded or failed o FILE - the name of the file or directory the operation was performed on This module is stackable.
OPTIONS
vfs_full_audit:prefix = STRING Prepend audit messages with STRING. STRING is processed for standard substitution variables listed in smb.conf(5). The default prefix is "%u|%I". vfs_full_audit:success = LIST LIST is a list of VFS operations that should be recorded if they succeed. Operations are specified using the names listed above. vfs_full_audit:failure = LIST LIST is a list of VFS operations that should be recorded if they failed. Operations are specified using the names listed above. full_audit:facility = FACILITY Log messages to the named syslog(3) facility. full_audit:priority = PRIORITY Log messages with the named syslog(3) priority.
EXAMPLES
Log file and directory open operations on the [records] share using the LOCAL7 facility and ALERT priority, including the username and IP address: [records] path = /data/records vfs objects = full_audit full_audit:prefix = %u|%I full_audit:success = open opendir full_audit:failure = all full_audit:facility = LOCAL7 full_audit:priority = ALERT
VERSION
This man page is correct for version 3.0.25 of the Samba suite.
AUTHOR
The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed. vfs_full_audit(8)
Mac OS X 10.6 - Generated Thu Sep 17 20:26:30 CDT 2009