All Categories
  • 1st Steps
  • Authentication
  • Branding
  • Changelogs
  • Collaboration
  • Compliance
  • Customization
  • Desktop Client
  • External Storage
  • Frequently Asked Questions
  • Installation
  • Migrations
  • Mobile Clients
  • Nextcloud Context Chat
  • Nextcloud Flow (Windmill integration)
  • Nextcloud Talk
  • Operations
  • Partner Products
  • Roundcubemail
  • Scalability
  • Security
  • Using the audit log

    Setup

    • Enable the app 'Audit / Logging' from the app store or run php occ app:enable admin_audit from the console.
    • If loglevel in config.php is set to 2 or higher, audit logging needs to be triggered explicitly by adding the following setting to config.php:
      'log.condition' => [
              'apps' => ['admin_audit'],
      ],
      
    • If required, the name and path of the audit log file can be customized by using the following command (see default here):
      php occ config:app:set admin_audit logfile --value=/var/log/nextcloud/audit.log
      

    Logged events

    Files

    • File
      • created
      • accessed
      • updated
      • renamed
      • copied
      • removed
      • deleted
    • File version
      • restored
      • deleted
    • File shared with/unshared from (including set permissions and expiration date)
      • user
      • group
      • public link
      • email recipient
      • Talk conversation
      • Circle
      • remote user (federation)
      • remote group
    • Share permissions changed
    • Password of public share changed
    • Expiration date changed
    • Public share having been accessed
    • Trashbin
      • file deleted from trashbin
      • file restored from trashbin
    • Image preview accessed

    Authentication

    • Login successful/failed
    • Two Factor login attempt successful/failed
    • Logout

    User management

    • User created/deleted
    • User enabled/disabled
    • Email address changed
    • Password changed
    • UserID assigned/unassigned
    • Group created/deleted
    • User added to/removed from group

    Apps management

    • App enabled/disabled
    • App limited to user groups

    Console

    • Console command executed

    JSON log structure

    {
      "reqId": "string",          // Unique request ID
      "level": number,            // Log severity level (1 = info)
      "time": "ISO8601 timestamp",// Timestamp of the event
      "remoteAddr": "IP address", // IP address of the client making the request
      "user": "string",           // Username performing the action
      "app": "string",            // Nextcloud app/component generating the log (e.g., "admin_audit")
      "method": "string",         // HTTP method used (GET, POST, PUT, PROPFIND, etc.)
      "url": "string",            // Requested URL path
      "message": "string",        // Human-readable description of the event
      "userAgent": "string",      // Client user-agent string
      "version": "string",        // Nextcloud version string
      "data": {                   // Additional structured data (may vary)
        "app": "string"
      }
    }
    

    Log analysis

    Nextcloud does not offer any UI for analyzing the audit log.
    Using logs is dependent on the infrastructure of the customer like e.g. SIEM, Splunk, ...

    One example reference using Grafana + Loki is shown here (not affiliated with Nextcloud) https://grafana.com/grafana/dashboards/17821-nextcloud-logs/