Samba Full Audit with Super Fast Logging

usually, if/when you enable samba audit module, you will feel significant drop in performance, especially when your share folder simultaneously accessed by many users.

to have full audit logging without performance degradation, you will need a very fast write to log folder/partition. and what is faster than RAM?

so, we mount RAM to be used as our samba logging, put this line into /etc/fstab
tmpfs  /sambalog  tmpfs  defaults,noexec,nosuid,nodev  1 0

now, we tell samba and syslog to write their log to /sambalog:
# this line into /etc/syslog.conf
user.*;user.!warn /sambalog/fullaudit.log

#and this line into /etc/samba/smb.conf
log file = /sambalog/smbd.log

then, restart samba & syslog:
service smb restart
service syslog restart

now, watch /sambalog grows and feel the performance boost.

what the heck we do logging for if everything's gone on next boot!

ok, let's get back those logs from RAM:
# cat /etc/cron.d/logbak
*/5 * * * *  root zip -ru "/var/log/bak-$(date +%d).zip" /sambalog

all logs will be zipped back to hdd for safe keep.

-- tips & tricks on computers and gadgets denny on IT ; let's doIT documenting the brain


free game 3 said…
Thank you for sharing. All of them wonderful..