Using the audit log
Setup
- Enable the app 'Audit / Logging' from the app store or run
php occ app:enable admin_auditfrom the console. - If loglevel in config.php is set to 2 or higher, audit logging needs to be triggered explicitly by adding the following setting to config.php:
'log.condition' => [ 'apps' => ['admin_audit'], ], - If required, the name and path of the audit log file can be customized by using the following command (see default here):
php occ config:app:set admin_audit logfile --value=/var/log/nextcloud/audit.log
Logged events
Files
- File
- created
- accessed
- updated
- renamed
- copied
- removed
- deleted
- File version
- restored
- deleted
- File shared with/unshared from (including set permissions and expiration date)
- user
- group
- public link
- email recipient
- Talk conversation
- Circle
- remote user (federation)
- remote group
- Share permissions changed
- Password of public share changed
- Expiration date changed
- Public share having been accessed
- Trashbin
- file deleted from trashbin
- file restored from trashbin
- Image preview accessed
Authentication
- Login successful/failed
- Two Factor login attempt successful/failed
- Logout
User management
- User created/deleted
- User enabled/disabled
- Email address changed
- Password changed
- UserID assigned/unassigned
- Group created/deleted
- User added to/removed from group
Apps management
- App enabled/disabled
- App limited to user groups
Console
- Console command executed
JSON log structure
{
"reqId": "string", // Unique request ID
"level": number, // Log severity level (1 = info)
"time": "ISO8601 timestamp",// Timestamp of the event
"remoteAddr": "IP address", // IP address of the client making the request
"user": "string", // Username performing the action
"app": "string", // Nextcloud app/component generating the log (e.g., "admin_audit")
"method": "string", // HTTP method used (GET, POST, PUT, PROPFIND, etc.)
"url": "string", // Requested URL path
"message": "string", // Human-readable description of the event
"userAgent": "string", // Client user-agent string
"version": "string", // Nextcloud version string
"data": { // Additional structured data (may vary)
"app": "string"
}
}
Log analysis
Nextcloud does not offer any UI for analyzing the audit log.
Using logs is dependent on the infrastructure of the customer like e.g. SIEM, Splunk, ...
One example reference using Grafana + Loki is shown here (not affiliated with Nextcloud) https://grafana.com/grafana/dashboards/17821-nextcloud-logs/
Subscriber exclusive content
A Nextcloud Enterprise Subscription provides unlimited access to our knowledge base articles and direct access to Nextcloud engineers.