我在 Ubuntu Server 上运行带有 Samba 的文件服务器,最近记录谁删除或修改了文件的需求变得非常迫切。
为了做到这一点,我添加了以下几行/etc/samba/smb.conf:
vfs objects = full_audit
full_audit:prefix = %u|%I|%m|%S
full_audit:success = mkdir rename unlink rmdir pwrite
full_audit:failure = none
full_audit:facility = local7
full_audit:priority = NOTICE
还有这个/etc/rsyslog.conf:
local7.* /var/log/samba/log.audit
问题是我们一直有至少 40 个人访问文件服务器,这导致.tmp日志中的文件文本量巨大。
有没有办法将full_auditTMP 文件排除在审核之外?
答案1
添加以下几行。例如:
在[全球]
# full audit
full_audit:prefix = %I|%m|%S
full_audit:success = mkdirat read pread write pwrite renameat unlinkat
full_audit:failure = none
full_audit:facility = LOCAL5
full_audit:priority = notice
在共享文件夹中:
[my_shared_folder]
# change it to the name of your shared folder
comment = my_shared_folder
# change it to the path to your shared folder
path = /home/your_user/my_shared_folder
public = yes
read only = no
writeable = yes
browseable = yes
# change "your_user" to your user (echo $USER)
valid users = nobody your_user
force user =
guest ok = yes
guest only = yes
available = yes
printable = no
create mask = 0777
directory mask = 0777
# exclude file extensions
veto oplock files = /*.tmp/*.doc/*.docx/*.pdf/
# Include file extensions
veto files = /*.mp3/*.3gp/*.asd/*.au3/
vfs object = full_audit recycle
来源:samba 全面审计