This site is currently read-only as we are migrating to Oracle Forums for an improved community experience. You will not be able to initiate activity until January 31st, when you will be able to use this site as normal.

    Forum Stats

  • 3,890,899 Users
  • 2,269,649 Discussions


Samba auditing issue

2648698 Member Posts: 6
edited Apr 22, 2014 8:50AM in Solaris 10

Hello all,

We would like to audit samba file access on our Solaris 10 using vfs module full_audit (

smbd -D : Version 3.6.8

ls /usr/lib/samba/vfs :



Conf is pretty simple :

In smb.conf, add these lines to [global] :


# Audit settings

full_audit:prefix = %u|%I|%S

full_audit:failure = connect

full_audit:success = connect disconnect opendir mkdir rmdir closedir open close read pread write pwrite sendfile rename unlink chmod

fchmod chown fchown chdir ftruncate lock symlink readlink link mknod realpath

full_audit:facility = local5

full_audit:priority = notice

Then, add vfs objects = full_audit to each share


comment = Public Stuff

path = /home/samba/public

public = yes

vfs object = full_audit

In syslog.conf, add local5.notice     /var/adm/log.audit

Then restart samba with

svcadm disable samba wins

svcadm enable samba wins

Then restart syslog with

svcadm restart svc:/system/system-log:default


svcadm refresh svc:/system/system-log

But log.audit file is not created. I created it but after have reloaded samba and syslog (and even rebooted)  he is still empty...

I tried to use full_audit module in Ubuntu (which use rsyslog) and it works well ...

Any suggestions ?

Thx for your help :-)



This discussion has been closed.