TSF – Giải pháp IT toàn diện cho doanh nghiệp SMB | HCM

Homepage
About Us
Solutions
Tutorials
Contact
Youtube
  • English
  • Tiếng Việt
    • Contact

    P9 - TrueNAS SMB Audit Log Track All User File Activities

    🚀 TrueNAS P9 – TrueNAS SMB Audit Log: Track All User File Activities (Create/Delete/Modify)

    In modern IT environments, visibility and accountability are critical. This guide explains how to enable and configure TrueNAS SMB Audit Log on TrueNAS SCALE to track every file operation performed by users.

    With SMB auditing enabled, you can monitor:

    • File creation

    • File deletion

    • File modification

    • File access attempts

    • Suspicious activity

    This configuration is essential for system administrators who need full transparency across shared folders.

    By the end of this tutorial, you will be able to monitor SMB file operations in real time and export logs into a structured CSV format for reporting or compliance purposes.

    🧠 What is vfs_full_audit?

    vfs_full_audit is a Samba module that records all actions (create, delete, open, write, etc.) occurring on SMB shares.

    It allows you to:

    • Record detailed logs of who created or deleted files
    • Capture user IP address
    • Track file paths
    • Detect abnormal behavior
    • Integrate scripts to handle prohibited files automatically

    When properly configured, TrueNAS SMB Audit Log becomes a powerful security and monitoring tool.

    🔧 Part 1 – Enable Full SMB Audit Log

    Step 1: Add VFS Audit to SMB Configuration

    Run the following command:

     
     
    sudo midclt call smb.update ‘{“smb_options”:”full_audit:prefix = %u|%I|%S\nfull_audit:success = all\nfull_audit:failure = all\nfull_audit:facility = LOCAL7\nfull_audit:priority = NOTICE”}’
     

    ⚠ Must be a continuous line.

    What this configuration does:

    • full_audit:prefix = %u|%I|%S → Logs username, IP, and share

    • full_audit:success = all → Logs all successful actions

    • full_audit:failure = all → Logs failed attempts

    • facility = LOCAL7 → Sends logs to syslog

    • priority = NOTICE → Sets log severity level

    This enables complete file operation tracking.

    Step 2: Restart Samba Service

     
     
    sudo systemctl restart smbd
     

    This applies the new audit configuration.

    Step 3: Enable Audit Log in GUI

    Go to TrueNAS SCALE interface and ensure audit logging is enabled in SMB service settings.

    Step 4: Check and Filter Logs

    Example: View logs for 09/12 (file deletion events only)

     
     
    sudo journalctl -u smbd \
    –since “2025-12-09 00:00:00” \
    –until “2025-12-09 23:59:59” \
    | grep TNAUDIT | grep UNLINK
     

    This command:

    • Filters logs by date

    • Extracts audit entries

    • Shows only delete operations

    This is extremely useful for investigating incidents or tracking specific user behavior.

    📊 Part 2 – Export TrueNAS SMB Audit Log to CSV

    Reading logs directly in journalctl can be difficult. This script exports audit data into a clean CSV format compatible with Excel.

    Step 1: Create Script File

     
     
    sudo nano /home/admin/export_smb_audit.sh
     

    Paste the following content:

     
     
    #!/bin/bash

    OUTPUT=“/home/admin/smb_audit_export.csv”

    echo “timestamp,username,action,path,ip” > $OUTPUT

    sudo journalctl -u smbd -o cat | grep TNAUDIT | while read -r line; do
    json=$(echo $line | sed ‘s/^.*@cee://’)

    timestamp=$(echo $json | jq -r ‘.TNAUDIT.time’)
    username=$(echo $json | jq -r ‘.TNAUDIT.user’)
    action=$(echo $json | jq -r ‘.TNAUDIT.event’)
    ip=$(echo $json | jq -r ‘.TNAUDIT.addr’)

    raw_event=$(echo $json | jq -r ‘.TNAUDIT.event_data’)

    # Nếu event_data là JSON string → chuyển thành object
    if echo $raw_event | jq empty 2>/dev/null; then
    event_json=$raw_event
    else
    event_json=$(echo $raw_event | jq -r ‘fromjson’ 2>/dev/null)
    fi

    # Lấy path nếu có
    path=$(echo $event_json | jq -r ‘.file.path // empty’)

    # Bỏ qua nếu không có file path
    if [ -z $path ]; then
    continue
    fi

    echo $timestamp,$username,$action,$path,$ip >> $OUTPUT
    done

    echo “Done! File output: $OUTPUT
     

    Save and exit.

    Step 2: Grant Execute Permission

     
     
    sudo chmod +x /home/admin/export_smb_audit.sh
     

    Step 3: Run Script to Export CSV

     
     
    sudo /home/admin/export_smb_audit.sh
     

    Wait about one minute.

    The CSV file will be created at:

     
     
    /home/admin/smb_audit_export.csv
     

    You can download it via:

    • Shell → Download

    • SFTP

    The CSV format is structured and easy to import into Excel for reporting and auditing.

    🛡 Why TrueNAS SMB Audit Log is Important

    Enabling TrueNAS SMB Audit Log provides:

    ✅ Full visibility of user activity
    ✅ Detailed file-level tracking
    ✅ Stronger compliance support
    ✅ Better troubleshooting capability
    ✅ Faster incident response

    Without audit logging, file operations inside SMB shares are invisible.

    With audit logging enabled, every action is recorded and traceable.

    🏢 Best Practices for Production Environments

    When deploying SMB Audit Log:

    • Enable both success and failure logging

    • Periodically export logs to external storage

    • Use log rotation to prevent log overflow

    • Monitor unusual patterns (mass delete, bulk rename)

    • Combine with file type blocking policies

    Audit logging works best when integrated into your broader NAS security strategy.

    🎯 Final Result

    After completing this setup:

    • All SMB file operations are logged

    • You can filter by date, action, or user

    • You can export logs into structured CSV

    • You gain full control and accountability

    TrueNAS SMB Audit Log transforms your NAS from a simple file server into a monitored and secure storage platform.

    📌 Conclusion

    Configuring TrueNAS SMB Audit Log is one of the most important steps in securing shared storage environments.

    With just a few commands, you can:

    🔐 Track all user file activities
    📊 Export structured audit reports
    🛡 Detect suspicious behavior
    ⚡ Improve troubleshooting efficiency

    If you manage SMB shares on TrueNAS SCALE, enabling audit logging is not optional — it’s essential.

    See also related articles

    P21 – Effortless WordPress TrueNAS Setup Guide

    P21 – Effortless WordPress TrueNAS Setup Guide 🚀 TrueNAS P21 – WordPress TrueNAS Apps Demo Deploy WordPress Easily (No Docker Skills Needed) Deploying WordPress on a NAS no longer requires deep Docker knowledge or complex manual configurations. With WordPress TrueNAS Apps, you can launch a fully functional WordPress instance directly...

    Read More

    P20 – Essential ZFS Disk Scrubbing Best Practices Guide

    P20 – Essential ZFS Disk Scrubbing Best Practices Guide 🚀 TrueNAS – P20: ZFS Disk Scrubbing – Step-by-Step Configuration & Best Practices Maintaining data integrity is one of the most important responsibilities of any storage administrator. Even enterprise-grade disks can develop silent data corruption over time. This is where ZFS...

    Read More

    P18 – Ultimate MFA TrueNAS Security Setup Guide

    P18 – Ultimate MFA TrueNAS Security Setup Guide 🚀 TrueNAS – P18: Secure TrueNAS with MFA (Google Authenticator) – Full Configuration Tutorial Security is critical for any production storage system. A strong password alone is no longer enough. If credentials are leaked, brute-forced, or reused elsewhere, your entire NAS infrastructure...

    Read More