Is it possible to make audit file on TrueNAS Core

Hello,

I have a TrueNAS Core version TrueNAS-13.0-U6.2 in my IT park.

It is used as a file server for all the company’s users.

Currently we have no file audit on this TrueNAS, I would like to be able to have this information (Creation, deletion or modification of file) via file audit.

We use SMB (Samba) for file sharing, in the SMB services I’ve added the following commands to the auxiliary parameters

log level = 5
vfs objects = full_audit ixnas
full_audit:prefix = %u|%I|%m|%S|%P|%f
full_audit:priority = notice
full_audit:success = mkdirat renameat unlinkat openat rmdir writeat

I’m using PRTG as the TrueNAS Core log receiver, so in the TrueNAS rsyslog I’ve added the PRTG IP address and port 514.

I receive logs but nothing that tells me the name of the file that has been created, modified or deleted.

2024-12-10T15:19:07.162037-05:00 xxxx.local smbd_audit 39461 - - xxx\jo.blow|x.x.x.x|laptop_hostname|IPC_|/var/tmp|%f|file_id_create|ok|5810598849960936741:34:11

Is it possible that TrueNAS Core can’t do what I’d like to do in terms of file audits?

Thanks
Steeve

Why don’t you use SCALE where we have formally added SMB auditing?

Good morning !!

I know it’s possible to switch from Core to Scale, but first I wanted to do some tests.

So I installed Scale on a VM, and tried to do the fileaudit on this TrueNAS.

We have EventLog Analyzer as software, but after a few tests I still had this result when I add files on my share

Message: 28607 - - smb_user opened file FortiClientSetup_7.2.6_x64.exe read=No write=No (numopen=4)
Time: 2024-12-11 07:16:17DisplayName: x.x.x.xDevice: x.x.x.x Severity: noticeFacility: DaemonSource: smbd_auditUsername: -Remote Device: -LogonId: -Audit Id: -Logon Type: -Target Domain : -Target User : -User Pid : -Target Group : -Group Id : -LogType : UnixFile Type : -File Size : -Target Device : -Error Code : -Status : -Event Name : -

Yes I saw the name of the file, but I’m not able to see if it’s a creation, suppression or modification

After 1 day to work to find a solution, I make a call to the technical support of Eventlog, and the FIM not working for the Debian distribution.

If I use PRTG for the Scale, Do I have the same problem ?

Thanks

This is should not be set on production servers. It basically puts your general Samba logging at a ridiculous levels.

This will break a significant amount of NAS functionality since you’re removing almost all vfs objects.

It’s not too hard to spin up a VM and test your stuff against it. Our audit messages are JSON-formatted so anything that can parse JSON (or plain text) should in theory be OK.

I reopen my Scale test VM and I make some new tests.

I removed the line log level = 5

I just keep these command
vfs objects = full_audit ixnas
full_audit:prefix = %u|%I|%m|%f
full_audit:success = mkdirat renameat unlinkat openat rmdir writeat
full_audit:failure = none
full_audit:facility = local7
full_audit:priority = NOTICE

Here the result when I add files in the share
Message : 29322 - - @cee:{“TNAUDIT”: {“success”: true, “aid”: “bd764e71-96a7-471b-867c-5aae18c0ea2a”, “vers”: {“major”: 0, “minor”: 1}, “addr”: “10.101.30.72”, “user”: “smb_user”, “sess”: “36e552c7-edf1-44ed-b417-233562e8eaa7”, “time”: “2024-12-11 13:23:47.021238Z”, “svc”: “SMB”, “svc_data”: “{"vers": {"major": 0, "minor": 1}, "service": "Testfiles", "session_id": "1856527050", "tcon_id": "3905207551"}”, “event”: “CREATE”, “event_data”: “{"parameters": {"DesiredAccess": "0x0017019f", "FileAttributes": "0x00000020", "ShareAccess": "0x00000000", "CreateDisposition": "CREATE", "CreateOptions": "0x00000044"}, "file_type": "FILE", "file": {"path": "AnywhereUSB_Chubb/Outil_Discovery_40002256_H.exe", "stream": null, "snap": null, "handle": {"type": "DEV_INO", "value": "54:31:0"}}, "result": {"type": "NTSTATUS", "value_raw": 0, "value_parsed": "SUCCESS"}, "vers": {"major": 0, "minor": 1}}”}}

When I removed file from the share
Message : 29322 - - @cee:{“TNAUDIT”: {“success”: true, “aid”: “922a790c-e861-44b8-9ab7-8a5a3c453648”, “vers”: {“major”: 0, “minor”: 1}, “addr”: “10.101.30.72”, “user”: “smb_user”, “sess”: “36e552c7-edf1-44ed-b417-233562e8eaa7”, “time”: “2024-12-11 13:31:17.496251Z”, “svc”: “SMB”, “svc_data”: “{"vers": {"major": 0, "minor": 1}, "service": "Testfiles", "session_id": "1856527050", "tcon_id": "3905207551"}”, “event”: “CLOSE”, “event_data”: “{"file": {"path": "PRTG v2.1.pptx", "stream": null, "snap": null, "handle": {"type": "DEV_INO", "value": "54:25:0"}}, "operations": {"read_cnt": "1", "read_bytes": "4096", "write_cnt": "0", "write_bytes": "0"}, "result": {"type": "UNIX", "value_raw": 0, "value_parsed": "SUCCESS"}, "vers": {"major": 0, "minor": 1}}”}}
Time : 2024-12-11 08:31:17DisplayName : 10.50.105.31Device : 10.50.105.31Severity : noticeFacility : UserSource : smbd_auditUsername : -Remote Device : -LogonId : -Audit Id : -Logon Type : -Target Domain : -Target User : -User Pid : -Target Group : -Group Id : -LogType : UnixFile Type : -File Size : -Target Device : -Error Code : -Status : -Event Name : -Usertest : -Usertest2 :

When I open a file from TrueNAs Scale and I closed it after
Message : 29322 - - smb_user closed file pdf24_merged.pdf (numopen=3) NT_STATUS_OK
Time : 2024-12-11 08:34:58DisplayName : 10.50.105.31Device : 10.50.105.31Severity : noticeFacility : DaemonSource : smbd_auditUsername : -Remote Device : -LogonId : -Audit Id : -Logon Type : -Target Domain : -Target User : -User Pid : -Target Group : -Group Id : -LogType : UnixFile Type : -File Size : -Target Device : -Error Code : -Status : -Event Name : -Usertest : -Usertest2

I think I’m near to find the good command to have what I need

These MUST NOT be set on SCALE.

Thanks I removed these command in the smb4.conf file
Sorry for the question, SCale is less complicated to use than Core

man vfs_truenas_audit contains information about the auditing module in SCALE. UI options are described in our online documentation.