Audit Levels

You may use this option to configure the level of audit for a share.

audit_level – The level of audit logging on this share.

For example:

audit_level = 2

The following describes the messages and events logged at different audit levels. Please note that each level includes all the messages and events of all the previous levels, i.e. Audit level 2 will include all the items in Audit level 1 and so on.

Audit Level 1

• Create:
  • SMB2 CREATE
  • SMB2 SET_INFO (creating a hardlink to an existing file)
• Delete:
  • SMB2 CREATE (with CreateOptions DELETE_ON_CLOSE) + SMB2 CLOSE
  • SMB2 SET_INFO (SMB2_0_INFO_FILE)
• Rename:
  • SMB2 SET_INFO
• Modify permissions:
  • SMB2 SET_INFO (SMB2_0_INFO_SECURITY)
  • SMB2 CREATE
• Auth related Operations:
  • Log all actions from start to end of SMB2 SESSION_SETUP. This determines whether client can successfully access SMB2 services.
  • SMB2 LOGOFF
  • SMB2_CLOSE

Audit Level 2

• Write:
  • SMB2 WRITE
  • SMB2 SET_INFO
  • SMB2 IOCTL
• Update:
  • SMB2 FLUSH

Audit Level 3

• Read access permissions:
  • SMB2 QUERY_INFO (INFO_FILE & INFO SECURITY)
• Lookup:
  • SMB2 QUERY_DIRECTORY (can use wildcard, pattern or even filename). File lookup can also be done by attempting a simple SMB2 CREATE request with filename with CreateDisposition set to 1 (Open if exists or fail, but this will fall under logging CREATE).
• Readlink:
  • Same as SMB2 CREATE
• Readdir:
  • Same as lookup
• File Open
  • SMB2 CREATE (not implemented yet)

Audit Level 4

• Read:
  • SMB2 read
• Commits:
  • Same as Update in Audit Level 2 (Update)
• Set Access Time (not implemented yet)

Audit Level 5

• Stat:
  • There are no specific stat requests in SMB2. This usually Involves SMB2 QUERY_INFO or SMB2 QUERY_DIRECTORY.
• Commits:
  • Same as in Audit level 2 (Update)
• SMB2 IOCTL COPYCHUNK
• Share root open
• MISC operations (not implemented yet)
  • SMB2 LOCK
  • SMB2 CANCEL
  • SMB2 CHANGE_NOTIFY
  • SMB2 OPLOCK_BREAK
  • SMB2 ECHO