Link to home
Start Free TrialLog in
Avatar of aloknet21
aloknet21Flag for India

asked on

How do i write a script to monitor file creation and deletion on Samba Shared folder in linux?

I have shared a folder on samba server and now want to monitor user who is creating what files and folder and deletion too?

please suggest how do i write script to monitor this.?
Avatar of Pieter Jordaan
Pieter Jordaan
Flag of South Africa image

Hi

You have to enable auditing on each share by adding the audit lines below to each [share block]
full_audit:prefix = %u|%I|%S
full_audit:success = mkdir rename rmdir unlink write aio_write pwrite
full_audit:failure = unlink rmdir
full_audit:facility = LOCAL7
full_audit:priority = ALERT

Then configure syslog to write all local7 events to a samba audit log file.
You can add the line below to your syslog.conf file:
local7.*                        /var/log/samba.audit.log

Restart samba and syslog to apply the changes, and montitor the messages and syslog files for any problems.

Then use grep to get the events you need from the /var/log/samba.audit.log file.
Some of the newer Linux versions use rsyslog, in that case, add the local7.* line to the

/etc/rsyslog.d/50-default.conf

Avatar of aloknet21

ASKER

alok (10.50.2.13) connect to service DropBox initially as user data (uid=500, gid=500) (pid 10325)
[2011/01/03 14:07:34, 1] smbd/service.c:make_connection_snum(1077)
  admins-computer (10.50.0.34) connect to service Uploads initially as user data (uid=500, gid=100) (pid 10330)
[2011/01/03 14:07:44, 1] smbd/service.c:close_cnum(1274)
  alok (10.50.2.13) closed connection to service DropBox


this is the log i am getting from var/log/samba/smbd.log


local7.*                                                /var/log/boot.log
local7.*                                                /var/log/samba/smbd.log

i have added below line in syslog.conf file

[DropBox]
        comment = DropBox
        # turn on auditing to see what the heck is going on
        vfs objects = full_audit
        full audit:prefix = %u|%I|%S
        full audit:success = mkdir rename rmdir unlink write aio_write pwrite
        full_audit:failure = unlink rmdir
        full_audit:facility = LOCAL7
        full_audit:priority = ALERT
        writeable = yes
        locking = no
        create mask = 0775
Above is the folder which i have shared in samba server. i am running Centos 5.3 Server
please suggest what i am missing here?
local7 is assigned to your boot log.
Look for one that is not used. maybe local8 ?
i have changed to local8 now but not able to access shared folder.
My bad!

You will have to use between local0 and local7.
Look inside your syslog.conf to see which of those are not in use.

i have used now and able to access shared folder.

local1.*                                                /var/log/samba/smbd.log

please suggest all file creation and deletion log will be here only.
i have renamed and deleted a folder there but not able to find out log for this.

 alok (10.50.2.13) connect to service DropBox initially as user data (uid=500, gid=500) (pid 11587)
[2011/01/03 15:14:07, 1] smbd/service.c:close_cnum(1274)
  alok (10.50.2.13) closed connection to service DropBox
Did you change local7 to local1 in smb.conf aswell ?
Did you restart samba and syslog after the local1 changes ?

First, lets see if the log output ends up at syslog.
tail /var/log/messages /var/log/syslog and look for any samba output.

If you find it, then the output redirect line in syslog.conf is not working, or the syslog restart did not work.
Please also post your samba version.
The audit settings may be different for older versions of samba.
samba version is 3.0.33-3.7.el5

i have changed local7 to local1 in smb.conf
when i run tail /var/log/messages have found one log related to my system ip

Jan  3 19:05:53 DropBox smbd_audit: data|10.50.2.13|get_shadow_copy_data|fail (Function not implemented)|


Also i am not able to get output of tail /var/log/syslog

[root@DropBox ~]# tail /var/log/syslog
tail: cannot open `/var/log/syslog' for reading: No such file or directory

please suggest!

ASKER CERTIFIED SOLUTION
Avatar of Pieter Jordaan
Pieter Jordaan
Flag of South Africa image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial