Доброго! Помогите понять, как обнаруживать виновников удаленных файлов? В логе /var/log/syslog сообщения от самбы вижу типа Jul 14 10:23:02 nas smbd_audit: borodin|192.168.0.119|open|ok|r|. или … |opendir|ok|r| и т.п. По какому признаку искать именно операцию удаления?

Взять конфиг самбы

[global] log file = /var/log/samba/%m

    load printers = no

    smb ports = 137 138 139 445

    interfaces = lo enp3s0

    available = no

    wins support = true

    netbios name = nas

    vfs objects = full_audit recycle

    browseable = no

    passdb backend = tdbsam:/var/lib/samba/private/passdb.tdb

    lanman auth = yes

    ntlm auth = yes

    full_audit:prefix = %u|%I

    full_audit:success = connect, opendir, open, mkdir, rmdir, unlink, write, rename

    full_audit:failure = connect, opendir, open, mkdir, rmdir, unlink, write, rename

    full_audit:facility = local5

    full_audit:priority = notice

    server string = ***server

    default = obmen

    workgroup = workgroup

    os level = 20

    syslog = 7

    syslog only = yes

    security = user

    max log size = 50

    bind interfaces only = Yes

    log level = 1 vfs:1

    recycle:exclude = *.tmp | ~$* | *.TMP

    recycle:versions = Yes

    recycle:touch_mtime

    time server = yes

[obmennik]

    browseable = yes
    writeable = yes
    recycle: versions = Yes
    recycle: keeptree = Yes
    path = /***/***
    #acl compatibility = auto
    map acl inherit = Yes
    nt acl support = yes
    unix extensions = no
    inherit acls = Yes

inherit owner = Yes

    inherit permissions = Yes
    recycle: directory_mode = 0777
    recycle:repository = /data/recycle
    force directory mode = 0775
    force create mode = 0775
    comment = Obmennik
    public = yes
    available = yes
    valid users = @"***grp"
    write list = @"***grp"

Вот это full_audit:success = connect, opendir, open, mkdir, rmdir, unlink, write, rename а где remove ?