Adapt the
/etc/samba/smb.conf :[global]
# Audit settings
full_audit:prefix = %u|%I|%S
full_audit:failure = connect
full_audit:success = connect disconnect opendir mkdir rmdir closedir open close read pread write pwrite sendfile rename unlink chmod fchmod chown fchown chdir ftruncate lock symlink readlink link mknod realpath
full_audit:facility = local5
full_audit:priority = notice
then for each share:
[samba]
...
vfs objects = full_audit
and restart the samba daemon
systemctl restart smb
The logged information is going to be stored using syslog. For Centos this regards rsyslog,
/etc/rsyslog.d/smb-audit.conf :local5.notice /var/log/samba/audit.log & ~
or, for newer
rsyslog installationslocal5.notice /var/log/samba/audit.log & stop
and restart
rsyslog daemonsystemctl restart rsyslog
Finally, the logfile rotation in
/etc/logrotate.d/samba is already active for all files in /var/log/samba/*/var/log/samba/* {
notifempty
olddir /var/log/samba/old
missingok
sharedscripts
copytruncate
compress
}
Logrotate is run automatically by cron, no restart is necessary.
