Detailed logs in Samba

I will give an example of setting up detailed logs of Samba, the logs can save the client’s IP address, its action, the hostname, as well as many other debugging information.

To write more detailed logs, open the samba configuration file in a text editor:

sudo nano /etc/samba/smb.conf

And for example, add in the section “global”:

log level = 2
max log size = 20480

log level 1 is the lowest, 0 is for shutdown and is the default, max log size determines the maximum size of the log file in kilobytes, I specified 20mb.

Apply the changes:

sudo smbcontrol all reload-config

Or restart samba:

sudo /etc/init.d/smbd restart
sudo /etc/init.d/nmbd restart
sudo systemctl restart nmbd
sudo systemctl restart smbd

You can specify a different level for different debugging classes, for example:

log level = 1 auth:10 winbind:5 passdb:4

Debug classes can be: all, tdb, printdrivers, lanman, smb, rpc_parse, rpc_srv, rpc_cli, passdb, sam, auth, winbind, vfs, idmap, quota, acls, locking, msdfs, dmapi, registry.

For logging user activity, it is more convenient to specify vfs:

log level = 0 vfs:2
max log size = 20480

And let’s say the directory was previously configured:

[test]
path = /srv/samba/test
comment = test
browseable = yes
writable = yes
read only = no

Now, at the end of its settings, we will add logging options, in the end it will turn out like this:

[test]
path = /srv/samba/test
comment = test
browseable = yes
writable = yes
read only = no
vfs objects = full_audit
full_audit:prefix = %u|%I|%m|%S
full_audit:failure = none
full_audit:success = mkdir rmdir open read pread write pwrite sendfile rename unlink lock
full_audit:facility = local5
full_audit:priority = debug

After that, the logs will be written to /var/log/syslog, to be written to a separate file, add in the syslog configuration:

local5.debug  -/var/log/samba/audit.log

See also my article:
Installing and configuring Samba