I'm using samba to provide shares to users. The sometimes claim their files have mysteriously disappeared so I am keen to track deletions.
Thus I set up full audit. Everything works, except the audit log is often missing the file name or has some sort of mystery code. For example;
Dec 12 17:46:04 server1 smbd_audit:
shared|shared|192.168.x.x|matt1|shared|2016/12/12
17:46:04|server1|file_id_create|ok|802:28200da:0
The last item should presumably be a file name. Why is there a number instead? The relevant parts of smb.conf follows
[homes]
comment = Home Directories directory mask = 0775
browseable = yes
read only = no
create mask = 0775
directory mask = 0775
valid users = %S
writable = yes
vfs objects = recycle
recycle:repository = .RecycleBin
recycle:keeptree = yes
recycle:exclude = *.tmp, *.bak
vfs objects = full_audit
full_audit:prefix = %u|%U|%I|%m|%S|%T|%D
full_audit:success = mkdir rename unlink rmdir open
full_audit:failure = none
full_audit:facility = LOCAL5
full_audit:priority = NOTICE
