Ubuntu: rsyslog.conf only partly honored


I followed this description on how to enable audit for Samba (entry of Aug 10, 2009) and wanted to get all additionally enabled logging in a special log file (/var/log/samba/log.audit). The mentioned line local7.* /var/log/samba/log.audit I placed at the end of my existing /etc/rsyslog.conf file. It seemed a bit out of place there, but after restarting everything, the mentioned file was created, presumably by the syslog daemon, so I assumed this was working.

But it stayed at a size of 0 bytes. After creation of the file, nothing was logged there.

It took me some time but then I found that all logging was done into the default syslog file (/var/log/syslog).

I guess the config line in /etc/rsyslog.conf is correct, but somehow the way it was supposed to be addressed in the /etc/samba/smb.conf is not working.

I repeat in short what the blog above suggested to do:

Add the lines

vfs objects = full_audit    full_audit:prefix = %u|%I|%m|%S  full_audit:success = mkdir rename unlink rmdir pwrite  full_audit:failure = none  full_audit:facility = local7  full_audit:priority = NOTICE  

to the existing smb.conf and add the line

local7.*                        /var/log/samba/log.audit  

to the syslog.conf (I took my existing /etc/rsyslog.conf for this).

Can anybody tell me how to fix this so that the logging is done into the intended file /var/log/samba/log.audit?


I had the same problem until I changed the output log file location to /var/log instead of /var/log/samba. I'm not sure why, but it seems rsyslog on my system won't write a facility to a file outside /var/log.

Hope that helps, and if anyone knows how to configure ryslog to allow other locations it would be nice to know.


The /var/log/samba/log.audit file must have syslog as the owning user, and adm as the owning group.

If it is not like this, run:

sudo chown /var/log/samba/log.audit syslog:adm  

Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Next Post »