Configure Samba :
The later versions of Samba (e.g. 3.x) include "VFS" modules - or "Virtual File System" modules - which allow Samba to handle virtual tasks such as translating new lines on-the-fly, or checking new files for virus or malware. There is are two included VFS module for auditing, and one will log messages when a file is closed. The full_audit.so VFS module is the one we need. It's included, so we simply need to enable it. Open your /etc/samba/smb.conf, and in the
[global]
section :vfs objects = full_audit
full_audit:prefix = %u|%I|%m|%S
full_audit:success = close
full_audit:failure = none
full_audit:facility = local6
full_audit:priority = DEBUG
If the priority is NOTICE, you will get the messages into /var/log/messages, so beware of your config. I went with DEBUG, so that I can then restrict that to one destination (I'll talk about that later).The secret is in the "full_audit:success" and "full_audit:failure" parameters. These allow you to configure what system calls you want logged, either on failure or on success. In the above configuration, I log nothing on failures, and I log "close" on successes. This means that the syslog configuration will get a log message for every time a file is closed (whether being written to or just read from). The log messages look like :
Oct 15 22:44:01 localhost smbd[20487]: anne|10.0.0.73|mediacenter|movies|close|ok|disney/the_little_mermaid.mp4
Oct 15 22:44:02 localhost smbd[20487]: secuser|10.0.0.41|tv-ip322p-0015f|camerashares|close|ok|path_to_storage/20131015/22/224315.mp4
So, since we will end up with all closings, you want to ensure either the username ("secuser" in the above messages) doing the writing or the hostname (tv-ip322p-0015f) that is writing to the Samba share is unique and you can filter out the rest of the stuff. In my case, the host is "tv-ip322p-0015f", so I can easily just watch for those messages for closings from the camera(s) in question through logcheck, and have an instantaneous notification via e-mail when each camera clears itself and stops recording. However, since we want the notification to enter our event server (e.g. Nagios), and... since full_audit already runs through syslog, it's simply a matter of setting up a named-pipe.Named Pipe Creation :
- Create the named-pipe :
mkdir /etc/syslog.pipes mknod /etc/syslog.pipes/sambaEvents p chmod 600 /etc/syslog.pipes/sambaEvents
- Next, configure syslog to write to that named pipe. In your syslog config (e.g. /etc/rsyslog.conf), add a line such as (make sure it matches your customizations) :
local6.* |/etc/syslog.pipes/sambaEvents
- Then, restart syslog :
/etc/init.d/rsyslog restart - Finally, you will have to write a tool that reads from your named-pipe. In my case, I'm setting up an eventserver, and I'm using a plugin for that one. For anyone else, you can do a cron (example http://svn.silverhawk.net/files/syslogSambaEvent.sh) such as :
* * * * * /usr/local/bin/syslogSambaEvent.sh < /etc/syslog.pipes/sambaEvents
That will run the job once a second looking for messages from the queue, and then e-mail them out if they match my tv-ip322p.
Oct 16 08:30:21 cottonwoodheights rsyslogd-2039: Could not open output pipe '/etc/syslog.pipes/sambaEvents' [try http://www.rsyslog.com/e/2039 ]
Oct 16 08:30:24 cottonwoodheights setroubleshoot: SELinux is preventing /sbin/rsyslogd from 'read, write' accesses on the fifo_file sambaEvents. For complete SELinux messages. run sealert -l 0f6ad628-c737-452f-a4a2-fbf240519594
If you are running SELinux, you will probably see something like the above. Simply run the sealert command it names, and follow the directions the command provides. You may also find more messages in there for the script that reads from the named pipe.Added Notifications :
Just a note, if you want other functions (for example, if the camera you are using doesn't have a "motion detected" notification method but does capture only the motion video, you can add the "open" to the full_audit:success line such as "full_audit:success = open,close"), I grabbed a list from the vfs_full_audit.c source, so these are things you can monitor if you really want, but beware things like "pwrite" are called multiple times in a file write, not just once for the entire file, so you could have a log inundated with verbose messages.
aio_error
aio_force
aio_fsync
aio_is_offline
aio_read
aio_set_offline
aio_write
brl_cancel_windows
brl_lock_windows
brl_unlock_windows
chdir
chflags
chmod
chmod_acl
chown
close
closedir
connect
connectpath
create_file
disconnect
disk_free
fchmod
fchmod_acl
fchown
fget_nt_acl
fgetxattr
file_id_create
flistxattr
fremovexattr
fs_capabilities
fset_nt_acl
fsetxattr
fstat
fsync
ftruncate
get_alloc_size
getlock
get_nt_acl
get_quota
get_real_filename
get_shadow_copy_data
getwd
getxattr
init_search_op
kernel_flock
lchown
lgetxattr
link
linux_setlease
listxattr
llistxattr
lock
lremovexattr
lseek
lsetxattr
lstat
mkdir
mknod
notify_watch
ntimes
open
opendir
pread
pwrite
read
readdir
readlink
realpath
recvfile
removexattr
rename
rewinddir
rmdir
seekdir
sendfile
set_quota
setxattr
stat
statvfs
streaminfo
strict_lock
strict_unlock
symlink
sys_acl_add_perm
sys_acl_clear_perms
sys_acl_create_entry
sys_acl_delete_def_file
sys_acl_free_acl
sys_acl_free_qualifier
sys_acl_free_text
sys_acl_get_entry
sys_acl_get_fd
sys_acl_get_file
sys_acl_get_perm
sys_acl_get_permset
sys_acl_get_qualifier
sys_acl_get_tag_type
sys_acl_init
sys_acl_set_fd
sys_acl_set_file
sys_acl_set_permset
sys_acl_set_qualifier
sys_acl_set_tag_type
sys_acl_to_text
sys_acl_valid
telldir
translate_name
unlink
write
No comments:
Post a Comment