.\"Generated by db2man.xsl. Don't modify this, modify the source. .de Sh \" Subsection .br .if t .Sp .ne 5 .PP \fB\\$1\fR .PP .. .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Ip \" List item .br .ie \\n(.$>=3 .ne \\$3 .el .ne 3 .IP "\\$1" \\$2 .. .TH "VFS_FULL_AUDIT" 8 "" "" "" .SH NAME vfs_full_audit \- record Samba VFS operations in the system log .SH "SYNOPSIS" .ad l .hy 0 .HP 25 \fBvfs objects = full_audit\fR .ad .hy .SH "DESCRIPTION" .PP This VFS module is part of the\fBsamba\fR(7) suite\&. .PP The \fBvfs_full_audit\fR VFS module records selected client operations to the system log using\fBsyslog\fR(3)\&. .PP \fBvfs_full_audit\fR is able to record the complete set of Samba VFS operations: aio_cancelaio_erroraio_fsyncaio_readaio_returnaio_suspendaio_writechdirchflagschmodchmod_aclchowncloseclosedirconnectdisconnectdisk_freefchmodfchmod_aclfchownfget_nt_aclfgetxattrflistxattrfremovexattrfset_nt_aclfsetxattrfstatfsyncftruncateget_nt_aclget_quotaget_shadow_copy_datagetlockgetwdgetxattrkernel_flocklgetxattrlinklinux_setleaselistxattrllistxattrlocklremovexattrlseeklsetxattrlstatmkdirmknodopenopendirpreadpwritereadreaddirreadlinkrealpathremovexattrrenamerewinddirrmdirseekdirsendfileset_nt_aclset_quotasetxattrstatstatvfssymlinksys_acl_add_permsys_acl_clear_permssys_acl_create_entrysys_acl_delete_def_filesys_acl_free_aclsys_acl_free_qualifiersys_acl_free_textsys_acl_get_entrysys_acl_get_fdsys_acl_get_filesys_acl_get_permsys_acl_get_permsetsys_acl_get_qualifiersys_acl_get_tag_typesys_acl_initsys_acl_set_fdsys_acl_set_filesys_acl_set_permsetsys_acl_set_qualifiersys_acl_set_tag_typesys_acl_to_textsys_acl_validtelldirunlinkutimewrite .PP In addition to these operations,\fBvfs_full_audit\fR recognizes the special operation names "all" and "none ", which refer to all the VFS operations and none of the VFS operations respectively\&. .PP \fBvfs_full_audit\fR records operations in fixed format consisting of fields separated by '|' characters\&. The format is: .nf smbd_audit: PREFIX|OPERATION|RESULT|FILE .fi .PP The record fields are: .TP 3 \(bu \fBPREFIX\fR \- the result of the full_audit:prefix string after variable substitutions .TP \(bu \fBOPERATION\fR \- the name of the VFS operation .TP \(bu \fBRESULT\fR \- whether the operation succeeded or failed .TP \(bu \fBFILE\fR \- the name of the file or directory the operation was performed on .LP .PP This module is stackable\&. .SH "OPTIONS" .TP vfs_full_audit:prefix = STRING Prepend audit messages with STRING\&. STRING is processed for standard substitution variables listed in\fBsmb\&.conf\fR(5)\&. The default prefix is "%u|%I"\&. .TP vfs_full_audit:success = LIST LIST is a list of VFS operations that should be recorded if they succeed\&. Operations are specified using the names listed above\&. .TP vfs_full_audit:failure = LIST LIST is a list of VFS operations that should be recorded if they failed\&. Operations are specified using the names listed above\&. .TP full_audit:facility = FACILITY Log messages to the named \fBsyslog\fR(3) facility\&. .TP full_audit:priority = PRIORITY Log messages with the named \fBsyslog\fR(3) priority\&. .SH "EXAMPLES" .PP Log file and directory open operations on the [records] share using the LOCAL7 facility and ALERT priority, including the username and IP address: .nf \fI[records]\fR path = /data/records vfs objects = full_audit full_audit:prefix = %u|%I full_audit:success = open opendir full_audit:failure = all full_audit:facility = LOCAL7 full_audit:priority = ALERT .fi .SH "VERSION" .PP This man page is correct for version 3\&.0\&.25 of the Samba suite\&. .SH "AUTHOR" .PP The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.