Apple’s Worldwide Developers Conference to kick off June 10 at 10 a.m. PDT with Keynote address

The Keynote will be available to stream on apple.com, the Apple Developer app, the Apple TV app, and the Apple YouTube channel. On-demand playback will be available after the conclusion of the stream.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: priunic
priunic Author
User level: Level 1
8 points

SMB Access Log

I'm running a Mac Mini with MacOS Server 5.3 where I host some file shares for remote and on-site users.

I would like to maintain a log of which of the users are accessing which of the shares, sort of similar to -how on the MacOS-server Logs-pane - I'm able to see who logs in remotely using the VPN Service Log.


I've looked a bit around and found this article on the subject:

Mavericks SMB/SAMBA Log?


It states that the file /System/Library/LaunchDaemons/com.apple.smbd.plist can be edited to output a debug-log of the servers SMB-shares. However in order to edit that plist-file I have to disable System Integrity Protection, which - as far as I can understand - can have pretty far-reaching consequences.


Does anyone know of another way to log users' access to SMB-file-shares ?

Mac mini, OS X Server, MacOS Server 5.3

Posted on Jul 19, 2017 1:08 AM

Reply
Question marked as Best reply
User profile for user: Strontium90
Strontium90
User level: Level 5
4,881 points

Posted on Jul 20, 2017 12:52 PM

Looks like you are looking for:


sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist LogLevel -int 1


But this is a 10.12 feature only if I recall. To turn off use a 0.


Once the value is set, you need to either stop and start the service, reboot the server, or sync the preferences (sudo /usr/libexec/smb-sync-preferences).


Then you can use the log command to watch the debug stream. I encourage you to filter the results or you will be overwhelmed with output. Something like sudo log stream --level debug --predicate 'senderImagePath endswith "smbd"' Read the log man page for more details.


Hope this helps.


Reid

Apple Consultants Network

Author - "El Capitan Server – Foundation Services"

Author - "El Capitan Server – Control & Collaboration"

Author - "El Capitan Server – Advanced Services"

:: Exclusively available in Apple's iBooks Store

View in context
2 replies
Question marked as Best reply
User profile for user: Strontium90
Strontium90
User level: Level 5
4,881 points

Jul 20, 2017 12:52 PM in response to priunic

Looks like you are looking for:


sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist LogLevel -int 1


But this is a 10.12 feature only if I recall. To turn off use a 0.


Once the value is set, you need to either stop and start the service, reboot the server, or sync the preferences (sudo /usr/libexec/smb-sync-preferences).


Then you can use the log command to watch the debug stream. I encourage you to filter the results or you will be overwhelmed with output. Something like sudo log stream --level debug --predicate 'senderImagePath endswith "smbd"' Read the log man page for more details.


Hope this helps.


Reid

Apple Consultants Network

Author - "El Capitan Server – Foundation Services"

Author - "El Capitan Server – Control & Collaboration"

Author - "El Capitan Server – Advanced Services"

:: Exclusively available in Apple's iBooks Store

Reply
User profile for user: priunic
priunic Author
User level: Level 1
8 points

Jul 20, 2017 1:19 PM in response to Strontium90

It definitely seems the command:


sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist LogLevel -int 1


started something. (I'm running server on MacOS Sierra 10.12.6)

When I run log with the filter applied I'm seeing a few entries now when I access shares with a test-user, but they don't seem to indicate anything about which share is beeing accessed or by who. I'll try to play a bit around with the filters and see if I can come up with a solution. Thank's a lot for your help getting me this far! 🙂


(I'll try to update the post if/when I manage to come up with something.)

Reply

SMB Access Log

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up