# Auditing File Access With Samba



## adripillo (Nov 28, 2013)

Hello, I need to log in some way the file access to Samba because in the place where I am working sometimes people delete files from the shared folder and of course I can recover it but I need to know which IP/computer deleted the files. I found this on the web but I do not know if could work for FreeBSD, maybe you can tell me or it can be made easier.

Add to the Samba configuration /etc/samba/smb.conf these strings:


```
[Incoming]
path = /media/disk1/Incoming
vfs objects = full_audit
full_audit:prefix = %u|%I|%m|%s
full_audit:success = open opendir read pwrite unlink
full_audit:failure = all
full_audit:facility = LOCAL7
full_audit:priority = ALERT
```

This construction will log operations of open files, open directories, reading, deleting and writing files.

Now add to the /etc/rsyslog.conf file this string:


```
local7:* /var/log/samba/audit.log
```

That’s all. Now restart Samba and rsyslogd: `server:~# /etc/init.d/samba restart && /etc/init.d/rsyslogd restart`


----------



## adripillo (Nov 28, 2013)

Yes, it is working.


----------



## zokstar (Nov 29, 2013)

Thanks for this!  It might come in handy one day.


----------

