Audit Logging (Russian text)

Support Info

Nextcloud version 13.0.6:
Operating system CentOS 7 x64 3.10.0-862.11.6.el7.x86_64 :
Apache version 2.4.6:
PHP version 7.0.31
DataBase: mysql
Backend: Active Directory (LDAP) Windows Server 2012 R2

Hi everyone, from Russia!
I searched the forum for similar topics and did not find an answer to my question.
That’s why I’m here
For security reasons, I need to know - who, when and what folder was made public
For Example:

  1. User А share folder TEST via link
  2. User A send link to User B (or someone on the Internen)
  3. User B open link
  4. User B download information from link
  5. Administrator C did not see this process, but had to see
    I’ll try to use "Activities for shared file downloads, visible to all admins" aplication, but without luck. The application shows only my shared folder, not all of them. I wrote to the author of this application Joas Schilling and give some feedback about audit logging.
    I learned that the entire activity log is written to the database, thats why i do not see this in nextcloud.log
    Well, i turned on this option in my config.php
    'loglevel' => 1,
    My nextcloud.log started to grow right before my eyes, but ok, i can rotate log.
    Finally, I saw an entry in the log about creating a shared folder like this:

{“reqId”:“W5E@m-qk0MbcCNRGdX2uSgAAAAA”,“level”:1,“time”:“2018-09-06T14:50:04+00:00”,“remoteAddr”:“178.159.255.96”,“user”:“9FFB3133-EF03-40E1-9F7F-58C9EFF0063A”,“app”:“admin_audit”,“method”:“POST”,“url”:"/ocs/v2.php/apps/files_sharing/api/v1/shares?format=json",“message”:“The folder “/NEWSHARE” with ID “13197” has been shared via link with permissions “1” (Share ID: 31)”,“userAgent”:“Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0”,“version”:“13.0.6.1”}
{“reqId”:“W5Il@5wZkED@GVAHhrqE1QAAAAU”,“level”:1,“time”:“2018-09-07T07:17:16+00:00”,“remoteAddr”:“178.159.255.96”,“user”:“9FFB3133-EF03-40E1-9F7F-58C9EFF0063A”,“app”:“admin_audit”,“method”:“POST”,“url”:"/ocs/v2.php/apps/files_sharing/api/v1/shares?format=json",“message”:“The folder “/\u041f\u0410\u041f\u041a\u0410” with ID “13208” has been shared via link with permissions “1” (Share ID: 33)”,“userAgent”:“Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0”,“version”:“13.0.6.1”}

Next i’ll try to do:

LOG=/var/www/nextcloud/data/nextcloud.log
grep " shared" $LOG | awk -F" ‘{print $8" “$10” “$18” "$35}’ | sed ‘s,\/,g’ | sed ‘s/.$//’

and get this:

time 2018-09-06T14:51:04+00:00 9FFB3133-EF03-40E1-9F7F-58C9EFF0063A NEWSHARE
time 2018-09-07T07:17:16+00:00 9FFB3133-EF03-40E1-9F7F-58C9EFF0063A \u041f\u0410\u041f\u041a\u0410

Ok. Look at the thid field like 9FFB3133-EF03-40E1-9F7F-58C9EFF0063A - it’s my GUID ActiveDirectory user and I must to use this command line to find who is it:

GUID=9FFB3133-EF03-40E1-9F7F-58C9EFF0063A
OCC="/var/www/nextcloud/occ"
sudo -u apache php $OCC user:list | grep $GUID | awk ’ {print $3,$4,$5} ’

This is:

Иван Иванович Иванов

Next go to field fourth - we see the name of the folder like NEWSHARE and \u041f\u0410\u041f\u041a\u0410
The latter is the name of the folder in the Russian text:

\u041f\u0410\u041f\u041a\u0410

should look like

ПАПКА

And at this point i do not understand how to:

  1. For every third field containing the user name in my log make a command:
    sudo -u apache php $OCC user:list | grep $GUID | awk ’ {print $3,$4,$5} ’
  2. For every fourth field containing the name of the folder in Russian in my log, replace the characters with Russian characters. For example, u0410 is actually the Russian letter A
  3. Collect everything together.
    Instead

time 2018-09-06T14:51:04+00:00 9FFB3133-EF03-40E1-9F7F-58C9EFF0063A NEWSHARE
time 2018-09-07T07:17:16+00:00 9FFB3133-EF03-40E1-9F7F-58C9EFF0063A \u041f\u0410\u041f\u041a\u0410

Get something like this:

time 2018-09-06T14:51:04+00:00 Иван Иванович Иванов NEWSHARE
time 2018-09-07T07:17:16+00:00 Иван Иванович Иванов ПАПКА

I hope someone has already solved this problem and can tell me the answer

1 Like