vfs_smb_traffic_analyzer — log Samba VFS read and write operations through a socket to a helper application
vfs objects = smb_traffic_analyzer
This VFS module is part of the samba(7) suite.
The vfs_smb_traffic_analyzer
VFS module logs
client write and read operations on a Samba server and sends this data
over a socket to a helper program, which feeds a SQL database. More
information on the helper programs can be obtained from the
homepage of the project at:
http://holger123.wordpress.com/smb-traffic-analyzer/
vfs_smb_traffic_analyzer
currently is aware
of the following VFS operations:
write |
pwrite |
read |
pread |
vfs_smb_traffic_analyzer
sends the following data
in a fixed format seperated by a comma through either an internet or a
unix domain socket:
BYTES|USER|DOMAIN|READ/WRITE|SHARE|FILENAME|TIMESTAMP
Description of the records:
BYTES
- the length in bytes of the VFS operation
USER
- the user who initiated the operation
DOMAIN
- the domain of the user
READ/WRITE
- either "W" for a write operation or "R" for read
SHARE
- the name of the share on which the VFS operation occured
FILENAME
- the name of the file that was used by the VFS operation
TIMESTAMP
- a timestamp, formatted as "yyyy-mm-dd hh-mm-ss.ms" indicating when the VFS operation occured
This module is stackable.
If STRING matches to "unix_domain_socket", the module will use a unix domain socket located at /var/tmp/stadsocket, if STRING contains an different string or is not defined, the module will use an internet domain socket for data transfer.
The module will send the data to the system named with the hostname STRING.
The module will send the data using the TCP port given in STRING.
The module will replace the user names with a prefix given by STRING and a simple hash number.
If STRING matches to 'yes', the module will replace any user name with the string given by the option smb_traffic_analyzer:anonymize_prefix, without generating an additional hash number. This means that any transfer data will be mapped to a single user, leading to a total anonymization of user related data.
The module running on share "example_share", using a unix domain socket
[example_share]
path = /data/example
vfs objects = smb_traffic_analyzer
smb_traffic_analyzer:mode = unix_domain_socket
The module running on share "example_share", using an internet socket, connecting to host "examplehost" on port 3491.
[example_share]
path = /data/example
vfs objects = smb_traffic_analyzer
smb_traffic_analyzer:host = examplehost
smb_traffic_analyzer:port = 3491
The module running on share "example_share", using an internet socket, connecting to host "examplehost" on port 3491, anonymizing user names with the prefix "User".
[example_share]
path = /data/example
vfs objects = smb_traffic_analyzer
smb_traffic_analyzer:host = examplehost
smb_traffic_analyzer:port = 3491
smb_traffic_analyzer:anonymize_prefix = User