Did you ever wanted to monitor samba shares? To know, who's opening what and when, who's deleting what?
That's a good thing to know. Every sysadmin should know which user deleted some public file - by accident of course ;-)
By default SAMBA offers extended logging system, setting "log level = 5" in smb.conf allows us to see what's happening to our files. But! It logs ALOT of crap that we don't need!
Samba comes with some default modules that we can use some of them are responsible for logging, ie, vfs_audit which logs opening, renaming, deleting creating, etc to syslog, vfs_extd_audit which do exacltly the same thing but to BOTH syslog, AND samba log file and third module - vfs_full_audit which is richer and more configurable version of vfs_audit. We can choose what to log and what to not (to syslog only tho :(), very nice thing. However in this case we just need to log file access. Logging should go to separate samba log files, not to syslog.
According to SAMBA documentation, we can turn syslog off by setting "syslog = 0" variable in smb.conf file. However it doesn't work for vfs_extd_audit module. This module also offers us the log level, documentation says that setting "log level = 0 vfs:X" where X=vfs_extd_audit log level, we can seperate the global log level, and module log level. However it doesn't work either! So basicly we are stuck with logging to both syslog and samba log files which waste our disk spacem and we don't want that.
I wrote a simple patch for latest version of Samba (3.2.5) which resolves those issues.
It can be downloaded at https://bugzilla.samba.org/show_bug.cgi?id=5956
To patch your Samba go to samba_src/source/modules and type patch -p0 < vfs_extd_audit.c.patch
Then recompile and enjoy! :)
