source: branches/samba-3.2.x/docs/manpages/vfs_full_audit.8@ 200

.\"     Title: vfs_full_audit
.\"    Author: 
.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
.\"      Date: 08/18/2008
.\"    Manual: System Administration tools
.\"    Source: Samba 3.2
.\"
.TH "VFS_FULL_AUDIT" "8" "08/18/2008" "Samba 3\.2" "System Administration tools"
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.SH "NAME"
vfs_full_audit - record Samba VFS operations in the system log
.SH "SYNOPSIS"
.HP 1
vfs objects = full_audit
.SH "DESCRIPTION"
.PP
This VFS module is part of the
\fBsamba\fR(7)
suite\.
.PP
The
vfs_full_audit
VFS module records selected client operations to the system log using
\fBsyslog\fR(3)\.
.PP
vfs_full_audit
is able to record the complete set of Samba VFS operations:
.IP "" 4
aio_cancel
.IP "" 4
aio_error
.IP "" 4
aio_fsync
.IP "" 4
aio_read
.IP "" 4
aio_return
.IP "" 4
aio_suspend
.IP "" 4
aio_write
.IP "" 4
chdir
.IP "" 4
chflags
.IP "" 4
chmod
.IP "" 4
chmod_acl
.IP "" 4
chown
.IP "" 4
close
.IP "" 4
closedir
.IP "" 4
connect
.IP "" 4
disconnect
.IP "" 4
disk_free
.IP "" 4
fchmod
.IP "" 4
fchmod_acl
.IP "" 4
fchown
.IP "" 4
fget_nt_acl
.IP "" 4
fgetxattr
.IP "" 4
flistxattr
.IP "" 4
fremovexattr
.IP "" 4
fset_nt_acl
.IP "" 4
fsetxattr
.IP "" 4
fstat
.IP "" 4
fsync
.IP "" 4
ftruncate
.IP "" 4
get_nt_acl
.IP "" 4
get_quota
.IP "" 4
get_shadow_copy_data
.IP "" 4
getlock
.IP "" 4
getwd
.IP "" 4
getxattr
.IP "" 4
kernel_flock
.IP "" 4
lgetxattr
.IP "" 4
link
.IP "" 4
linux_setlease
.IP "" 4
listxattr
.IP "" 4
llistxattr
.IP "" 4
lock
.IP "" 4
lremovexattr
.IP "" 4
lseek
.IP "" 4
lsetxattr
.IP "" 4
lstat
.IP "" 4
mkdir
.IP "" 4
mknod
.IP "" 4
open
.IP "" 4
opendir
.IP "" 4
pread
.IP "" 4
pwrite
.IP "" 4
read
.IP "" 4
readdir
.IP "" 4
readlink
.IP "" 4
realpath
.IP "" 4
removexattr
.IP "" 4
rename
.IP "" 4
rewinddir
.IP "" 4
rmdir
.IP "" 4
seekdir
.IP "" 4
sendfile
.IP "" 4
set_nt_acl
.IP "" 4
set_quota
.IP "" 4
setxattr
.IP "" 4
stat
.IP "" 4
statvfs
.IP "" 4
symlink
.IP "" 4
sys_acl_add_perm
.IP "" 4
sys_acl_clear_perms
.IP "" 4
sys_acl_create_entry
.IP "" 4
sys_acl_delete_def_file
.IP "" 4
sys_acl_free_acl
.IP "" 4
sys_acl_free_qualifier
.IP "" 4
sys_acl_free_text
.IP "" 4
sys_acl_get_entry
.IP "" 4
sys_acl_get_fd
.IP "" 4
sys_acl_get_file
.IP "" 4
sys_acl_get_perm
.IP "" 4
sys_acl_get_permset
.IP "" 4
sys_acl_get_qualifier
.IP "" 4
sys_acl_get_tag_type
.IP "" 4
sys_acl_init
.IP "" 4
sys_acl_set_fd
.IP "" 4
sys_acl_set_file
.IP "" 4
sys_acl_set_permset
.IP "" 4
sys_acl_set_qualifier
.IP "" 4
sys_acl_set_tag_type
.IP "" 4
sys_acl_to_text
.IP "" 4
sys_acl_valid
.IP "" 4
telldir
.IP "" 4
unlink
.IP "" 4
utime
.IP "" 4
write
.PP
In addition to these operations,
vfs_full_audit
recognizes the special operation names "all" and "none ", which refer to all the VFS operations and none of the VFS operations respectively\.
.PP
vfs_full_audit
records operations in fixed format consisting of fields separated by \'|\' characters\. The format is:
.sp
.RS 4
.nf
                smbd_audit: PREFIX|OPERATION|RESULT|FILE
        
.fi
.RE
.PP
The record fields are:
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
PREFIX
\- the result of the full_audit:prefix string after variable substitutions
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
OPERATION
\- the name of the VFS operation
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
RESULT
\- whether the operation succeeded or failed
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
FILE
\- the name of the file or directory the operation was performed on
.sp
.RE
.PP
This module is stackable\.
.SH "OPTIONS"
.PP
vfs_full_audit:prefix = STRING
.RS 4
Prepend audit messages with STRING\. STRING is processed for standard substitution variables listed in
\fBsmb.conf\fR(5)\. The default prefix is "%u|%I"\.
.RE
.PP
vfs_full_audit:success = LIST
.RS 4
LIST is a list of VFS operations that should be recorded if they succeed\. Operations are specified using the names listed above\.
.RE
.PP
vfs_full_audit:failure = LIST
.RS 4
LIST is a list of VFS operations that should be recorded if they failed\. Operations are specified using the names listed above\.
.RE
.PP
full_audit:facility = FACILITY
.RS 4
Log messages to the named
\fBsyslog\fR(3)
facility\.
.RE
.PP
full_audit:priority = PRIORITY
.RS 4
Log messages with the named
\fBsyslog\fR(3)
priority\.
.RE
.SH "EXAMPLES"
.PP
Log file and directory open operations on the [records] share using the LOCAL7 facility and ALERT priority, including the username and IP address:
.sp
.RS 4
.nf
        \fI[records]\fR
        \fIpath = /data/records\fR
        \fIvfs objects = full_audit\fR
        \fIfull_audit:prefix = %u|%I\fR
        \fIfull_audit:success = open opendir\fR
        \fIfull_audit:failure = all\fR
        \fIfull_audit:facility = LOCAL7\fR
        \fIfull_audit:priority = ALERT\fR
.fi
.RE
.SH "VERSION"
.PP
This man page is correct for version 3\.0\.25 of the Samba suite\.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\.