I have a WD My cloud 2 TB drive which I am using as NAS in my office. We keep files on that and most of user access the files in Design deptt. A file was recently edited after final changes and it got into printing with errors. Management is asking for an explanation that who made changes in files after it was placed there. I have gone through forums and haven’t found anything which says to Audit user access logs in WD my cloud. However, I have downloaded system log file from device and has multiple file which are named extension as .log. Can anyone put me in right direction to see through those logs. I can send logs if someone can help me with those.
Thanks and much appreciated if promptly responded
The log.smbd will show who is trying to access shares and whether it was successful or not. It will not show file-specific changes.
You can use the last command:
ssh to the NAS and type
it will print the last person to log in, time and the IP address (-i option) they used.
You can also use “-t” option to specify a specific date.
This command uses /var/log/wtmp file to check for logins.
Also, “stat” command shows you everything that’s known about a file (except the actual contents). You can add the -Z option to get some extra info.
There is no reliable way to get what you want
with the information gathered form above commands you can approximate and do some detective work
oen more command to your weapons @
ssh to your NAS and type
this will print all failed logs attempts for all users.
Google faillog for man guide.
Can be useful if you think someone is trying to login (UNDESIREABLES)…
Can I use folder specific detective work from these commands??
Well … you can see who logged in and at what time using “last”, The “stat” command can give you info when was the file changed, the “stat” command is file/DIR specific (Google stat man pages for comprehensive options). If you monitor these few times you should be able to get good approximation by correlating the time. Knowing your environment, what users where in, etc… (detective work) can aid you.
Since you get the IP address … you can use that to your advantage, you could probably use it as input to “tracerout” to see where it originated from, or use nmap …so many things you can do with it.
Note – none of these commands are available on any of the WD BusyBox-based shells (My Cloud G2, EX series, DL series at least…)
And I can’t recall LAST doing that anyway – it only shows who logs in via the shell, not accessing a share…
Yeah I have Gen1 (4xxxx firmware).
But you are right, I misunderstood his post, I thought his box was hacked. Sorry OP.
I know Samba has ogging option.
option to show who logged via SMB, But not sure how it works on these boxes. Maybe I’ll test it.
Can someone try this:
log level = 3
log file = /var/log/samba/%S.log
and restart as
service samba restart
This supposed to log share access but I cannot test as I am away till Friday.