to have full audit logging without performance degradation, you will need a very fast write to log folder/partition. and what is faster than RAM?
so, we mount RAM to be used as our samba logging, put this line into /etc/fstab
tmpfs /sambalog tmpfs defaults,noexec,nosuid,nodev 1 0
now, we tell samba and syslog to write their log to /sambalog:
# this line into /etc/syslog.conf user.*;user.!warn /sambalog/fullaudit.log #and this line into /etc/samba/smb.conf log file = /sambalog/smbd.log
then, restart samba & syslog:
service smb restart service syslog restart
now, watch /sambalog grows and feel the performance boost.
what the heck we do logging for if everything's gone on next boot!
ok, let's get back those logs from RAM:
# cat /etc/cron.d/logbak */5 * * * * root zip -ru "/var/log/bak-$(date +%d).zip" /sambalog
all logs will be zipped back to hdd for safe keep.
-- tips & tricks on computers and gadgets denny on IT ; let's doIT documenting the brain