Topic: Limit smb log entries in message log

[TerryF]

Hi..

I am looking for info on how to limit what messages are added to the syslog /var/message log by samba activity, currently getting a large amount of log activity when using a wdtv live streaming box simply running a slideshow of image files..heres an example

Aug 28 11:37:20 rslserver smbd[3600]: display|192.168.1.23|wdtvlive|streaming|open|ok|r|foyer/campaigns/Vietnam/Slide047.JPG
Aug 28 11:37:20 rslserver smbd[3600]: display|192.168.1.23|wdtvlive|streaming|close|ok|foyer/campaigns/Vietnam/Slide047.JPG

This occurs for each image file in the slideshow. When this is on a loop the message log quickly grows very large.

I added syslog = 1 to smb.conf and reloaded the config but the messages were still appearing. Samba docs do not indicate a setting of syslog = 0 and it did not change anything when set.

Does anyone have any hints that I can try,

Thanks..

[guest22]

Hey Terry,

maybe adjusting/adding the samba log levels in the samba config?

guest

ps. http://oreilly.com/openbook/samba/book/ch09_01.html

[Stefano]

you have samba audit enabled.. IIRC there should be something about it (and audit activity log) in bugzilla..

[TerryF]

Fingers crossed all is good..

The log entries were being generated from a folder that was from the shared folder contrib, by default shared folders have full samba auditing enabled on any folders that are created, this differs from an ibay which has no auditing enabled.. see vfs_full_audit — record Samba VFS operations in the system log

A template fragment sets the shared folder to have full auditing.

Adding a syslog=1 entry to the smb.conf file no effect.

Doing a check on the db entries shows NO Audit property

[root@rslserver ~]# db accounts show streaming
streaming=share
    DynamicContent=disabled
    Encryption=disabled
    InactivityTimeOut=
    Indexes=enabled
    Name=Media Streaming
    Pydio=disabled
    ReadGroups=
    ReadUsers=
    RecycleBin=disabled
    RecycleBinRetention=unlimited
    RequireSSL=disabled
    WebDav=enabled
    WriteGroups=admins,managers,museum,rslcompusers,wdtvall
    WriteUsers=
    httpAccess=local-pw
    smbAccess=browseable

So added one and set it disabled

[root@rslserver ~]# db accounts setprop streaming Audit disabled
[root@rslserver ~]# db accounts show streaming
streaming=share
    Audit=disabled
    DynamicContent=disabled
    Encryption=disabled
    InactivityTimeOut=
    Indexes=enabled
    Name=Media Streaming
    Pydio=disabled
    ReadGroups=
    ReadUsers=
    RecycleBin=disabled
    RecycleBinRetention=unlimited
    RequireSSL=disabled
    WebDav=enabled
    WriteGroups=admins,managers,museum,rslcompusers,wdtvall
    WriteUsers=
    httpAccess=local-pw
    smbAccess=browseable

Log entries to the /var/message log have now stopped, need to monitor now for any gotchas.

Thanks to you all for the help, Stefanos hint got me on the right track, I will change subject to solved once I can confirm all is OK.

Time for a beer..or maybe three

[CharlieBrady]

The log entries were being generated from a folder that was from the shared folder contrib, by default shared folders have full samba auditing enabled on any folders that are created...

It sounds like that is a flaw in the contrib, and you should create a bug and hope that the developer of that contrib fixes the problem.

[TerryF]

The shared folder contrib difference is by design or misdesign..below are the template fragments for samba audit, for ibays and SharedFoldersu

iBay
/etc/e-smith/templates/etc/smb.conf/ibays/10smbaudit

    $OUT = "";
    return unless (($ibay->prop('Audit') || 'disabled') eq 'enabled');

Shared Folder
/etc/e-smith/templates/etc/smb.conf/shares/45audit

    $OUT = "";
    return unless (($share->prop('Audit') || 'enabled') eq 'enabled');

smb.conf then looks like below re samba audit for a normal iBay and a shared folder

iBay
[fage]
comment = Fage website

path = /home/e-smith/files/ibays/fage
read only = no
writable = yes
printable = no
inherit permissions = yes
create mode = 0664

SharedFolder
[backup]
comment = Test Backups
veto files = /Recycle Bin/

path = /home/e-smith/files/shares/backup/files
read only = no
writable = yes
printable = no
inherit permissions = yes
create mode = 0660

vfs objects = full_audit
  full_audit:priority=notice
  full_audit:success=mkdir rmdir chdir open close rename unlink connect disconnect
  full_audit:failure=mkdir rmdir chdir open close rename unlink connect disconnect
  full_audit:facility=local5
  full_audit:prefix=%u|%I|%m|%S

Easy to manage when you set the audit parameter via the db...that is when you know that is what to do. So providing all continues to operate as designed and the system doesn't come to a screaming halt, I will ad a not to the Shared Folder wiki entry..

[CharlieBrady]

The shared folder contrib difference is by design or misdesign..

Since it might be a misdesign, you should create the bug in the bug tracker, then the issue can be properly debated, and if deemed necessary, corrected.

[Stefano]

I would add that this should be in Contribs section..

[TerryF]

Bug 8544 submitted