Apple Event: May 7th at 7 am PT

Learn more

Add to your calendar 

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: priunic
priunic Author
User level: Level 1
8 points

SMB Access Log

I'm running a Mac Mini with MacOS Server 5.3 where I host some file shares for remote and on-site users.

I would like to maintain a log of which of the users are accessing which of the shares, sort of similar to -how on the MacOS-server Logs-pane - I'm able to see who logs in remotely using the VPN Service Log.


I've looked a bit around and found this article on the subject:

Mavericks SMB/SAMBA Log?


It states that the file /System/Library/LaunchDaemons/com.apple.smbd.plist can be edited to output a debug-log of the servers SMB-shares. However in order to edit that plist-file I have to disable System Integrity Protection, which - as far as I can understand - can have pretty far-reaching consequences.


Does anyone know of another way to log users' access to SMB-file-shares ?

Mac mini, OS X Server, MacOS Server 5.3

Posted on Jul 19, 2017 1:08 AM

Reply
Question marked as Best reply
User profile for user: Strontium90
Strontium90
User level: Level 5
4,833 points

Posted on Jul 20, 2017 12:52 PM

Looks like you are looking for:


sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist LogLevel -int 1


But this is a 10.12 feature only if I recall. To turn off use a 0.


Once the value is set, you need to either stop and start the service, reboot the server, or sync the preferences (sudo /usr/libexec/smb-sync-preferences).


Then you can use the log command to watch the debug stream. I encourage you to filter the results or you will be overwhelmed with output. Something like sudo log stream --level debug --predicate 'senderImagePath endswith "smbd"' Read the log man page for more details.


Hope this helps.


Reid

Apple Consultants Network

Author - "El Capitan Server – Foundation Services"

Author - "El Capitan Server – Control & Collaboration"

Author - "El Capitan Server – Advanced Services"

:: Exclusively available in Apple's iBooks Store

View in context
2 replies
Question marked as Best reply
User profile for user: Strontium90
Strontium90
User level: Level 5
4,833 points

Jul 20, 2017 12:52 PM in response to priunic

Looks like you are looking for:


sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist LogLevel -int 1


But this is a 10.12 feature only if I recall. To turn off use a 0.


Once the value is set, you need to either stop and start the service, reboot the server, or sync the preferences (sudo /usr/libexec/smb-sync-preferences).


Then you can use the log command to watch the debug stream. I encourage you to filter the results or you will be overwhelmed with output. Something like sudo log stream --level debug --predicate 'senderImagePath endswith "smbd"' Read the log man page for more details.


Hope this helps.


Reid

Apple Consultants Network

Author - "El Capitan Server – Foundation Services"

Author - "El Capitan Server – Control & Collaboration"

Author - "El Capitan Server – Advanced Services"

:: Exclusively available in Apple's iBooks Store

Reply
User profile for user: priunic
priunic Author
User level: Level 1
8 points

Jul 20, 2017 1:19 PM in response to Strontium90

It definitely seems the command:


sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist LogLevel -int 1


started something. (I'm running server on MacOS Sierra 10.12.6)

When I run log with the filter applied I'm seeing a few entries now when I access shares with a test-user, but they don't seem to indicate anything about which share is beeing accessed or by who. I'll try to play a bit around with the filters and see if I can come up with a solution. Thank's a lot for your help getting me this far! 🙂


(I'll try to update the post if/when I manage to come up with something.)

Reply

SMB Access Log

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up