<synonym>debuglevel</synonym>
<description>
<para>
- The value of the parameter (a astring) allows the debug level (logging level) to be specified in the
+ The value of the parameter (a string) allows the debug level (logging level) to be specified in the
<filename moreinfo="none">smb.conf</filename> file.
</para>
<para>This parameter has been extended since the 2.2.x
series, now it allows one to specify the debug level for multiple
- debug classes. This is to give greater flexibility in the configuration
- of the system. The following debug classes are currently implemented:
+ debug classes and distinct logfiles for debug classes. This is to give
+ greater flexibility in the configuration of the system. The following
+ debug classes are currently implemented:
</para>
<itemizedlist>
<listitem><para><parameter moreinfo="none">printdrivers</parameter></para></listitem>
<listitem><para><parameter moreinfo="none">lanman</parameter></para></listitem>
<listitem><para><parameter moreinfo="none">smb</parameter></para></listitem>
+ <listitem><para><parameter moreinfo="none">smb2</parameter></para></listitem>
+ <listitem><para><parameter moreinfo="none">smb2_credits</parameter></para></listitem>
<listitem><para><parameter moreinfo="none">rpc_parse</parameter></para></listitem>
<listitem><para><parameter moreinfo="none">rpc_srv</parameter></para></listitem>
<listitem><para><parameter moreinfo="none">rpc_cli</parameter></para></listitem>
<listitem><para><parameter moreinfo="none">auth_audit</parameter></para></listitem>
<listitem><para><parameter moreinfo="none">auth_json_audit</parameter></para></listitem>
<listitem><para><parameter moreinfo="none">kerberos</parameter></para></listitem>
+ <listitem><para><parameter moreinfo="none">dsdb_audit</parameter></para></listitem>
+ <listitem><para><parameter moreinfo="none">dsdb_json_audit</parameter></para></listitem>
+ <listitem><para><parameter moreinfo="none">dsdb_password_audit</parameter></para></listitem>
+ <listitem><para><parameter moreinfo="none">dsdb_password_json_audit</parameter></para></listitem>
+ <listitem><para><parameter moreinfo="none">dsdb_transaction_audit</parameter></para></listitem>
+ <listitem><para><parameter moreinfo="none">dsdb_transaction_json_audit</parameter></para></listitem>
</itemizedlist>
+ <para>To configure the logging for specific classes to go into a different
+ file then <smbconfoption name="log file"/>, you can append
+ <emphasis>@PATH</emphasis> to the class, eg <parameter>log level = 1
+ full_audit:1@/var/log/audit.log</parameter>.</para>
+
<para>Authentication and authorization audit information is logged
- under the auth_audit, and if Samba is compiled against the jansson
- JSON library, a JSON representation is logged under
+ under the auth_audit, and if Samba was not compiled with
+ --without-json, a JSON representation is logged under
auth_json_audit.</para>
<para>Support is comprehensive for all authentication and authorisation
as well as the implicit authentication in password changes. In
the file server, NTLM authentication, SMB and RPC authorization is
covered.</para>
-
+
<para>Log levels for auth_audit and auth_audit_json are:</para>
<itemizedlist>
<listitem><para>2: Authentication Failure</para></listitem>
<listitem><para>4: Authorization Success</para></listitem>
<listitem><para>5: Anonymous Authentication and Authorization Success</para></listitem>
</itemizedlist>
-
-
+ <para>Changes to the sam.ldb database are logged
+ under the dsdb_audit and a JSON representation is logged under
+ dsdb_json_audit.</para>
+
+ <para>Password changes and Password resets are logged under
+ dsdb_password_audit and a JSON representation is logged under the
+ dsdb_password_json_audit.</para>
+
+ <para>Transaction rollbacks and prepare commit failures are logged under
+ the dsdb_transaction_audit and a JSON representation is logged under the
+ password_json_audit. Logging the transaction details allows the
+ identification of password and sam.ldb operations that have been rolled
+ back.</para>
+
+
</description>
<value type="default">0</value>
<value type="example">3 passdb:5 auth:10 winbind:2</value>
+<value type="example">1 full_audit:1@/var/log/audit.log winbind:2</value>
</samba:parameter>