Nextcloud audit.log & nextcloud.log

[bilalinamdar]

Hi,

I am trying hard to get the custom log working but it always says time issue. Please chekout the same log of audit.log ... later i will upload nextcloud.log (have to sanitise code so sensitive data). NEXTCLOUD 21 enabled audit feature.

{"reqId":"vKsbvI2PeHvx2GZKFyMT","level":1,"time":"2021-08-03T13:24:21+02:00","remoteAddr":"103.111.111.111","user":"--","app":"admin_audit","method":"GET","url":"/core/ajax/update.php?requesttoken=3koI9EdxZsu079B1TYExAXaKU55UzQUc87W%2BTdikAkw%3D%3A6S5epyMYFL6FoekGHOMDZg74FM4ToW5OsOL2BJXgazU%3D","message":"App \"files_accesscontrol\" enabled","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36","version":"19.0.13.1"}
{"reqId":"vKsbvI2PeHvx2GZKFyMT","level":1,"time":"2021-08-03T13:24:22+02:00","remoteAddr":"103.111.111.111","user":"--","app":"admin_audit","method":"GET","url":"/core/ajax/update.php?requesttoken=3koI9EdxZsu079B1TYExAXaKU55UzQUc87W%2BTdikAkw%3D%3A6S5epyMYFL6FoekGHOMDZg74FM4ToW5OsOL2BJXgazU%3D","message":"App \"files_automatedtagging\" enabled","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36","version":"19.0.13.1"}
{"reqId":"vKsbvI2PeHvx2GZKFyMT","level":1,"time":"2021-08-03T13:24:24+02:00","remoteAddr":"103.111.111.111","user":"--","app":"admin_audit","method":"GET","url":"/core/ajax/update.php?requesttoken=3koI9EdxZsu079B1TYExAXaKU55UzQUc87W%2BTdikAkw%3D%3A6S5epyMYFL6FoekGHOMDZg74FM4ToW5OsOL2BJXgazU%3D","message":"App \"groupfolders\" enabled","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36","version":"19.0.13.1"}
{"reqId":"vhZHyEHheqjXiCAXe2VI","level":1,"time":"2021-08-03T16:02:30+02:00","remoteAddr":"103.111.111.111","user":"admin","app":"admin_audit","method":"GET","url":"/core/preview?fileId=21741&x=32&y=32","message":"Preview accessed: \"From customer/Client/Client_Final l mycloud Soln. l  CloudScales v.2.0.pdf\" (width: \"32\", height: \"32\" crop: \"1\", mode: \"fill\")","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36","version":"21.0.3.1"}
{"reqId":"OrV38P2XWM5bhCxNLP2Y","level":1,"time":"2021-08-03T16:02:30+02:00","remoteAddr":"103.111.111.111","user":"admin","app":"admin_audit","method":"GET","url":"/core/preview?fileId=21742&x=32&y=32","message":"Preview accessed: \"From customer/client2/LPO 2030393 - myco.pdf\" (width: \"32\", height: \"32\" crop: \"1\", mode: \"fill\")","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36","version":"21.0.3.1"}
{"reqId":"Ij3HbIhgSYo4QFXPQ1Iu","level":1,"time":"2021-08-03T16:02:30+02:00","remoteAddr":"103.111.111.111","user":"admin","app":"admin_audit","method":"GET","url":"/core/preview?fileId=21675&x=32&y=32","message":"Preview accessed: \"From customer/client3/customer_balance_details (10) client3 SOA.xlsx\" (width: \"32\", height: \"32\" crop: \"1\", mode: \"fill\")","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36","version":"21.0.3.1"}
{"reqId":"Q5vfmzAvTgvsfsy7Lv8T","level":1,"time":"2021-08-03T16:02:30+02:00","remoteAddr":"103.111.111.111","user":"admin","app":"admin_audit","method":"GET","url":"/core/preview?fileId=23218&x=32&y=32","message":"Preview accessed: \"From customer/Client/4600029063 - Cloud Host Technology.pdf\" (width: \"32\", height: \"32\" crop: \"1\", mode: \"fill\")","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36","version":"21.0.3.1"}
{"reqId":"SQuTyFyt9ggAil9Jv8RM","level":1,"time":"2021-08-04T07:11:45+02:00","remoteAddr":"87.111.222.222","user":"prak@mycointl.com","app":"admin_audit","method":"PROPFIND","url":"/remote.php/dav/files/prak@mycointl.com/","message":"Login successful: \"prak@mycointl.com\"","userAgent":"Mozilla/5.0 (Windows) mirall/3.2.4stable-Win64 (build 20210706) (Nextcloud, windows-10.0.19042 ClientArchitecture: x86_64 OsArchitecture: x86_64)","version":"21.0.3.1"}
{"reqId":"GnImjkzD0qTT1X36VTgV","level":1,"time":"2021-08-04T08:09:11+02:00","remoteAddr":"87.111.222.222","user":"--","app":"admin_audit","method":"PROPFIND","url":"/remote.php/dav/files/tech@another.com/","message":"Login attempt: \"tech@another.com\"","userAgent":"RaiDrive/2020.11.38.0","version":"21.0.3.1"}
{"reqId":"GnImjkzD0qTT1X36VTgV","level":1,"time":"2021-08-04T08:09:11+02:00","remoteAddr":"87.111.222.222","user":"tech@another.com","app":"admin_audit","method":"PROPFIND","url":"/remote.php/dav/files/tech@another.com/","message":"Login successful: \"tech@another.com\"","userAgent":"RaiDrive/2020.11.38.0","version":"21.0.3.1"}
{"reqId":"BRtZ8yg8V5miFbnE3cyF","level":1,"time":"2021-08-04T08:09:11+02:00","remoteAddr":"87.111.222.222","user":"--","app":"admin_audit","method":"OPTIONS","url":"/remote.php/dav/files/tech@another.com/","message":"Login attempt: \"tech@another.com\"","userAgent":"RaiDrive/2020.11.38.0","version":"21.0.3.1"}
{"reqId":"BRtZ8yg8V5miFbnE3cyF","level":1,"time":"2021-08-04T08:09:11+02:00","remoteAddr":"87.111.222.222","user":"tech@another.com","app":"admin_audit","method":"OPTIONS","url":"/remote.php/dav/files/tech@another.com/","message":"Login successful: \"tech@another.com\"","userAgent":"RaiDrive/2020.11.38.0","version":"21.0.3.1"}
{"reqId":"GgVWoEhThpnlrKa84YcP","level":1,"time":"2021-08-04T08:09:12+02:00","remoteAddr":"87.111.222.222","user":"--","app":"admin_audit","method":"PROPFIND","url":"/remote.php/dav/files/tech@another.com/","message":"Login attempt: \"tech@another.com\"","userAgent":"RaiDrive/2020.11.38.0","version":"21.0.3.1"}
{"reqId":"GgVWoEhThpnlrKa84YcP","level":1,"time":"2021-08-04T08:09:12+02:00","remoteAddr":"87.111.222.222","user":"tech@another.com","app":"admin_audit","method":"PROPFIND","url":"/remote.php/dav/files/tech@another.com/","message":"Login successful: \"tech@another.com\"","userAgent":"RaiDrive/2020.11.38.0","version":"21.0.3.1"}
{"reqId":"9AyYOjnsAQexj3SfAZpa","level":1,"time":"2021-08-04T08:09:13+02:00","remoteAddr":"87.111.222.222","user":"--","app":"admin_audit","method":"PROPFIND","url":"/remote.php/dav/files/tech@another.com/","message":"Login attempt: \"tech@another.com\"","userAgent":"RaiDrive/2020.11.38.0","version":"21.0.3.1"}
{"reqId":"9AyYOjnsAQexj3SfAZpa","level":1,"time":"2021-08-04T08:09:13+02:00","remoteAddr":"87.111.222.222","user":"tech@another.com","app":"admin_audit","method":"PROPFIND","url":"/remote.php/dav/files/tech@another.com/","message":"Login successful: \"tech@another.com\"","userAgent":"RaiDrive/2020.11.38.0","version":"21.0.3.1"}
{"reqId":"11K2fdcJQ6I2W64pEXJE","level":1,"time":"2021-08-04T08:27:35+02:00","remoteAddr":"87.111.222.222","user":"friend01","app":"admin_audit","method":"PROPFIND","url":"/remote.php/webdav/","message":"Login successful: \"friend01\"","userAgent":"Mozilla/5.0 (Windows) mirall/3.0.2stable-Win64 (build 20200924) (Nextcloud)","version":"21.0.3.1"}
{"reqId":"lR6g5YxBBU8kOTjZf0Yy","level":1,"time":"2021-08-04T10:00:03+02:00","remoteAddr":"87.111.222.222","user":"admin","app":"admin_audit","method":"GET","url":"/csrftoken","message":"Login successful: \"admin\"","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36","version":"21.0.3.1"}
{"reqId":"w8btWG8Bzw2T55bIAUKW","level":1,"time":"2021-08-04T10:00:04+02:00","remoteAddr":"87.111.222.222","user":"admin","app":"admin_audit","method":"GET","url":"/ocs/v2.php/apps/notifications/api/v2/notifications","message":"Login successful: \"admin\"","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36","version":"21.0.3.1"}
{"reqId":"nfZV0FJNpzODmAo7DkG2","level":1,"time":"2021-08-04T10:00:10+02:00","remoteAddr":"87.111.222.222","user":"--","app":"admin_audit","method":"PROPFIND","url":"/remote.php/dav/files/BOSS/","message":"Login attempt: \"BOSS\"","userAgent":"Mozilla/5.0 (Windows) mirall/3.0.2stable-Win64 (build 20200924) (Nextcloud)","version":"21.0.3.1"}
{"reqId":"nfZV0FJNpzODmAo7DkG2","level":1,"time":"2021-08-04T10:00:11+02:00","remoteAddr":"87.111.222.222","user":"--","app":"admin_audit","method":"PROPFIND","url":"/remote.php/dav/files/BOSS/","message":"Login attempt: \"BOSS\"","userAgent":"Mozilla/5.0 (Windows) mirall/3.0.2stable-Win64 (build 20200924) (Nextcloud)","version":"21.0.3.1"}
{"reqId":"nfZV0FJNpzODmAo7DkG2","level":1,"time":"2021-08-04T10:00:11+02:00","remoteAddr":"87.111.222.222","user":"BOSS","app":"admin_audit","method":"PROPFIND","url":"/remote.php/dav/files/BOSS/","message":"Login successful: \"BOSS\"","userAgent":"Mozilla/5.0 (Windows) mirall/3.0.2stable-Win64 (build 20200924) (Nextcloud)","version":"21.0.3.1"}
{"reqId":"5vR0WFhuCgmX4o2Armyj","level":1,"time":"2021-08-04T11:13:04+02:00","remoteAddr":"103.111.111.111","user":"admin","app":"admin_audit","method":"PUT","url":"/apps/text/session/create","message":"File accessed: \"/Readme.md\"","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36","version":"21.0.3.1"}
{"reqId":"4upQ6nwWasYb5dtAHoQt","level":1,"time":"2021-08-04T11:28:22+02:00","remoteAddr":"103.111.111.111","user":"admin","app":"admin_audit","method":"GET","url":"/core/preview?fileId=19901&c=c9bfb4cbfdc6779125bd25fe0a05ed34&x=250&y=250&forceIcon=0&a=0","message":"Preview accessed: \"/Readme.md\" (width: \"250\", height: \"250\" crop: \"1\", mode: \"fill\")","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36","version":"21.0.3.1"}
{"reqId":"8r4uWpNbl6QLTNCqormT","level":1,"time":"2021-08-04T11:28:28+02:00","remoteAddr":"103.111.111.111","user":"admin","app":"admin_audit","method":"GET","url":"/remote.php/webdav/Readme.md?downloadStartSecret=z8a0j494be","message":"File accessed: \"/Readme.md\"","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36","version":"21.0.3.1"}
{"reqId":"mTiU1n2wicYGgsX4H9lf","level":1,"time":"2021-08-03T16:02:30+02:00","remoteAddr":"103.111.111.111","user":"admin","app":"admin_audit","method":"PUT","url":"/apps/text/session/create","message":"File accessed: \"/Readme.md\"","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36","version":"21.0.3.1"}
{"reqId":"Yh49COoOP97TvzdEORq3","level":1,"time":"2021-08-04T11:26:26+02:00","remoteAddr":"103.111.111.111","user":"admin","app":"admin_audit","method":"POST","url":"/apps/text/session/sync","message":"File updated: \"/Readme.md\"","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36","version":"21.0.3.1"}
{"reqId":"Yh49COoOP97TvzdEORq3","level":1,"time":"2021-08-04T11:26:26+02:00","remoteAddr":"103.111.111.111","user":"admin","app":"admin_audit","method":"POST","url":"/apps/text/session/sync","message":"File written to: \"/Readme.md\"","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36","version":"21.0.3.1"}

[bilalinamdar]

Till now i have tried this goaccess audit.log --log-format='{"reqId":"%^","level":"%^","time":"%dT%t","remoteAddr":"%h","user":"%e","app":"%^","method":"%m","url":"%U","message":"%^","userAgent":"%u"}' --date-format=%F --time-format=%T%Z It sort of works but i need message":"*" to understand what activity is been conducted Don't know if that will work as i do not want Nginx, apache like output i want a custom output Example output request ID, datetime, IP, username, message, url That's it nothing else

[allinurl]

Give this a shot, it should work:

# goaccess access.log --log-format='{"time": "%dT%t+%^", "remoteAddr": "%h", "user": "%e", "method": "%m", "url": "%U", "message": "%v", "userAgent": "%u"}' --date-format=%Y-%m-%d --time-format=%T --http-protocol=no

[bilalinamdar]

Hey thx didn't expected quick response.. yes it is working gr8! thx