# Separate Samba Log from Syslog



## dkovacevic (Aug 9, 2012)

I have a samba share configured to allow logging of file access:


```
[home]
   comment = Home Directory
   path=/home/%u
   vfs objects = full_audit
   full_audit:prefix = %u|%I|%m|%s
   full_audit:success = open opendir read pwrite unlink rmdir pread write sendfile ftruncate
   full_audit:failure = connect disconnect open close read pread write prwite sendfile ftruncate lock readlink
   full_audit:facility = LOCAL7
   full_audit:priority = ALERT

...
```

I added this line to /etc/newsyslog.conf:


```
/var/log/samba/audit.log                640  50    100  *     JC
```

Lastly, I added this line to /etc/syslog.conf:


```
local7.*                                        /var/log/samba/audit.log
```

Samba has this line in the global section:


```
syslog = 0
```

My problem is that the log data that I am expecting to see in the samba log file is also being sent to syslog. I would very much prefer to keep these separate, as the samba log fills up swiftly and other relevant messages in the syslog won't be as noticeable.

How can these be separated?


----------



## dkovacevic (Aug 9, 2012)

Figured this out:

In /etc/syslog.conf, found this line:


```
*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err    /var/log/messages
```

and added:


```
*.notice;LOCAL7,authpriv.none;kern.debug;lpr.info;mail.crit;news.err    /var/log/messages
```

Also changed the


```
local7.*                                        /var/log/samba/audit.log
```

to


```
LOCAL7.ALERT                                    /var/log/samba/audit.log
```

so that /var/log/messages is no longer being spammed by samba file log material.

Don't know whether CAPS is relevant or not.


----------

