I will give an example of setting up detailed logs of Samba, the logs can save the client’s IP address, its action, the hostname, as well as many other debugging information.
To write more detailed logs, open the samba configuration file in a text editor:
sudo nano /etc/samba/smb.conf
And for example, add in the section “global”:
log level = 2 max log size = 20480
log level 1 is the lowest, 0 is for shutdown and is the default, max log size determines the maximum size of the log file in kilobytes, I specified 20mb.
Apply the changes:
sudo smbcontrol all reload-config
Or restart samba:
sudo /etc/init.d/smbd restart sudo /etc/init.d/nmbd restart sudo systemctl restart nmbd sudo systemctl restart smbd
You can specify a different level for different debugging classes, for example:
log level = 1 auth:10 winbind:5 passdb:4
Debug classes can be: all, tdb, printdrivers, lanman, smb, rpc_parse, rpc_srv, rpc_cli, passdb, sam, auth, winbind, vfs, idmap, quota, acls, locking, msdfs, dmapi, registry.
For logging user activity, it is more convenient to specify vfs:
log level = 0 vfs:2 max log size = 20480
And let’s say the directory was previously configured:
[test] path = /srv/samba/test comment = test browseable = yes writable = yes read only = no
Now, at the end of its settings, we will add logging options, in the end it will turn out like this:
[test] path = /srv/samba/test comment = test browseable = yes writable = yes read only = no vfs objects = full_audit full_audit:prefix = %u|%I|%m|%S full_audit:failure = none full_audit:success = mkdir rmdir open read pread write pwrite sendfile rename unlink lock full_audit:facility = local5 full_audit:priority = debug
After that, the logs will be written to /var/log/syslog, to be written to a separate file, add in the syslog configuration:
See also my article:
Installing and configuring Samba
This is cool. If all I want to do is log the IP addresses of clients who connect to a share, what is the easiest way? I just want their IP address, any other information isn’t useful to me.
You must change config prefix for:
full_audit:prefix = %I , where %I – IP-address