Sometimes you want to have logs of who created files and deleted files and even those who opened files. Samba makes this possible but not where you’d expect. You’d probably expect to see this if you increased the log level option to a verbose enough number. It turns out that there is a vfs module that does exactly this. It logs auditing information to syslog. But remember, this information goes to syslog, not to your normal samba log files. Also note that there is a vfs module named audit and one called full_audit.
Example share definition using the auditing facility.
[web-sites] comment = "Web Sites" # turn on auditing to see what the heck is going on vfs objects = full_audit writeable = yes locking = no create mask = 0775 directory mask = 0775 force create mode = 0664 force directory mode = 0775 force user = www-data force group = www-data path = /var/www-sites/ valid users = @www-data