s3: vfs_full_audit.c: implement negated vfs_ops in the success/failure list
[ira/wip.git] / docs-xml / manpages-3 / vfs_full_audit.8.xml
index 1d519e2e09b6aa2ec45c2932dfdb1db811a52827..9c9dc843f896e16787f6e31faa02c95b06f4b3b7 100644 (file)
                <listitem>
                <para>LIST is a list of VFS operations that should be
                recorded if they succeed. Operations are specified using
-               the names listed above.
+               the names listed above. Operations can be unset by prefixing
+               the names with "!".
                </para>
 
                </listitem>
                <listitem>
                <para>LIST is a list of VFS operations that should be
                recorded if they failed. Operations are specified using
-               the names listed above.
+               the names listed above. Operations can be unset by prefixing
+               the names with "!".
                </para>
 
                </listitem>
 
        <para>Log file and directory open operations on the [records]
        share using the LOCAL7 facility and ALERT priority, including
-       the username and IP address:</para>
+       the username and IP address. Logging excludes the open VFS function
+       on failures:</para>
 
 <programlisting>
         <smbconfsection name="[records]"/>
        <smbconfoption name="vfs objects">full_audit</smbconfoption>
        <smbconfoption name="full_audit:prefix">%u|%I</smbconfoption>
        <smbconfoption name="full_audit:success">open opendir</smbconfoption>
-       <smbconfoption name="full_audit:failure">all</smbconfoption>
+       <smbconfoption name="full_audit:failure">all !open</smbconfoption>
        <smbconfoption name="full_audit:facility">LOCAL7</smbconfoption>
        <smbconfoption name="full_audit:priority">ALERT</smbconfoption>
 </programlisting>