1./etc/samba/smb.conf添加如下配置:
global:
[global]
workgroup = SAMBA
security = user
passdb backend = tdbsam
printing = cups
printcap name = cups
load printers = yes
cups options = raw
log file = /var/log/samba/%m.log
log level = 5 vfs:10 # 定义日志级别
vfs object = vfs
vfs object = full_audit #开启审计
full_audit:prefix = %u|%I|%S
full_audit:failure = connect chdir #审计失败的动作
full_audit:success = mkdir rmdir rename unlink pwrite_send pwrite_recv pread_recv pread_send #审计成功的动作
#full_audit:success = mkdir rmdir rename unlink pwrite pread sendfile recvfile
full_audit:facility = local5 #审计日志保存位置设置
full_audit:priority = notice #定义日志级别
共享目录:
[share]
comment = share
path = /home/share
public = no
writable = yes
vfs object = vfs
vfs object = full_audit #该目录开启审计
2.日志输出设置:/etc/rsyslog.conf
local5.* /var/log/samba/audit.log
3.审计日志如下:
[root@lrh001 ~]# tail -f /var/log/samba/audit.log
May 17 15:44:09 lrh001 smbd_audit: lrh|192.170.1.143|share|pread_send|ok|/home/share/jishubu/1.txt
May 17 15:44:09 lrh001 smbd_audit: lrh|192.170.1.143|share|pread_recv|ok|/home/share/jishubu/1.txt
May 17 15:44:14 lrh001 smbd_audit: lrh|192.170.1.143|share|pread_send|ok|/home/share/jishubu/新建文本文档 (2).txt
May 17 15:44:14 lrh001 smbd_audit: lrh|192.170.1.143|share|pread_recv|ok|/home/share/jishubu/新建文本文档 (2).txt
May 17 15:44:23 lrh001 smbd_audit: lrh|192.170.1.143|share|pread_send|ok|/home/share/yewu/yewu.txt
May 17 15:44:23 lrh001 smbd_audit: lrh|192.170.1.143|share|pread_recv|ok|/home/share/yewu/yewu.txt
May 17 15:44:31 lrh001 smbd_audit: lrh|192.170.1.143|share|pread_send|ok|/home/share/yewu/yewu.txt
May 17 15:44:31 lrh001 smbd_audit: lrh|192.170.1.143|share|pread_recv|ok|/home/share/yewu/yewu.txt
May 17 15:51:43 lrh001 smbd_audit: lrh|192.170.1.143|share|pread_send|ok|/home/share/yewu/yewu.txt
May 17 15:51:43 lrh001 smbd_audit: lrh|192.170.1.143|share|pread_recv|ok|/home/share/yewu/yewu.txt