This video provides a complete guide on how to enable and configure SMB Audit Log on TrueNAS SCALE. You will learn how to track every user action such as file creation, deletion, modification, and access attempts. The tutorial also explains where audit logs are stored and how to read them clearly. This is essential for system administrators who need full visibility and accountability across shared folders. SMB auditing helps detect suspicious behavior, troubleshoot user access issues, and strengthen your NAS security. The steps are simple, up-to-date, and suitable for both beginners and advanced TrueNAS users. By following this video, you will be able to monitor all SMB file operations in real time. Watch until the end to fully understand how SMB Audit Log works and how it protects your TrueNAS environment.

vfs_full_audit is a Samba module that records all actions (create, delete, open, write…) that occur on SMB shares.

You can monitor or capture events to:
• Record detailed logs of which files were created and who created them.
• Add scripts to handle files that do not meet requirements (e.g., delete prohibited files).

1. Set full audit log

Step 1: Add VFS audit to SMB configuration

Run:
sudo midclt call smb.update ‘{“smb_options”:”full_audit:prefix = %u|%I|%S\nfull_audit:success = all\nfull_audit:failure = all\nfull_audit:facility = LOCAL7\nfull_audit:priority = NOTICE”}’

Must Continuous line.

Step 2: Restart Samba

sudo systemctl restart smbd

Step 3: Enable audit log GUI

Step 4: Check log

For example: If you want to see the log for 09/12 only (delete files)
You can filter by date:

sudo journalctl -u smbd \
–since “2025-12-09 00:00:00” \
–until “2025-12-09 23:59:59” \
| grep TNAUDIT | grep UNLINK

2. Script to export SMB Audit to CSV (standard, easy to read, import Excel OK)

Step 1: Create a script file:

sudo nano /home/admin/export_smb_audit.sh

Paste the following content:

#!/bin/bash

OUTPUT=”/home/admin/smb_audit_export.csv”

echo “timestamp,username,action,path,ip” > “$OUTPUT”

sudo journalctl -u smbd -o cat | grep TNAUDIT | while read -r line; do
json=$(echo “$line” | sed ‘s/^.*@cee://’)

timestamp=$(echo “$json” | jq -r ‘.TNAUDIT.time’)
username=$(echo “$json” | jq -r ‘.TNAUDIT.user’)
action=$(echo “$json” | jq -r ‘.TNAUDIT.event’)
ip=$(echo “$json” | jq -r ‘.TNAUDIT.addr’)

raw_event=$(echo “$json” | jq -r ‘.TNAUDIT.event_data’)

# Nếu event_data là JSON string → chuyển thành object
if echo “$raw_event” | jq empty 2>/dev/null; then
event_json=”$raw_event”
else
event_json=$(echo “$raw_event” | jq -r ‘fromjson’ 2>/dev/null)
fi

# Lấy path nếu có
path=$(echo “$event_json” | jq -r ‘.file.path // empty’)

# Bỏ qua nếu không có file path
if [ -z “$path” ]; then
continue
fi

echo “$timestamp,$username,$action,$path,$ip” >> “$OUTPUT”
done

echo “Done! File output: $OUTPUT”

Save → exit.

Step 2: grant permission to run

sudo chmod +x /home/admin/export_smb_audit.sh

Step 3: run to export CSV

sudo /home/admin/export_smb_audit.sh

wait a minute
The CSV file will be located at:
/home/admin/smb_audit_export.csv
You can download it via Shell → Download or SFTP.