Help understanding audit logs: unauthorized access, impersonation or public share?

ℹ️ Support
,
1

Hello,

I’m investigating two admin audit log entries from our Nextcloud instance (v28.0.6.2) involving two different user accounts, and I’m trying to determine if this could be a case of unauthorized access.

Both logs occurred just a few seconds apart and originate from the same internal IP address (172.29.8.209), which raised the following concern:
Could it be that user A somehow impersonated user B or accessed their files without proper authorization? Or is this more likely just a regular access via a public share link?

Here are the two entries:

From user A:

{"reqId":"[redacted]","level":1,"time":"2024-06-18T17:10:21+02:00","remoteAddr":"172.29.8.209","user":"--","app":"admin_audit","method":"GET","url":"/index.php/s/[token]","message":"The shared file with the token \"[token]\" by \"[UUID-1]\" has been accessed.","userAgent":"[browser info]","version":"28.0.6.2","data":{"app":"admin_audit"}}

From user B:

{"reqId":"[redacted]","level":1,"time":"2024-06-18T17:10:24+02:00","remoteAddr":"172.29.8.209","user":"--","app":"admin_audit","method":"POST","url":"/index.php/apps/richdocuments/token","message":"File accessed: \"/[UUID-2]/files/[path]/Sidel - Octeville-sur-Mer.pdf\"","userAgent":"[browser info]","version":"28.0.6.2","data":{"app":"admin_audit"}}

My specific questions are:

  1. Could this timing and shared IP suggest that user A accessed user B’s files by impersonating them?
  2. Or is this expected behavior when accessing a file through a public share link (token-based)?
  3. What exactly does the UUID in the first log entry (e.g., "UUID-1") refer to? Is it the internal user ID of the sharing user?

Thanks a lot for your insights — we want to make sure there hasn’t been any misuse or misconfiguration.

2

Hello @AlixANNERAUD,

welcome to the Nextcloud community! :handshake:

I can’t help with the exact interpretation of the process I would recommend you try out some use-cases and review the logs.

index.php/s portion of the first log makes me think there is a share (use search to find topics how to list active shares etc) which was accessed through office (which is richdocumentsapp) - this involves access to a file from another system which might result in a second log line.

another hint makes me struggle :thinking: - you seem to be security aware user as you monitor and take action on audit logs - NC28 is out of support since ages please upgrade to a supported version ASAP!

3

Hi, thanks for your reply!

After further investigation, I discovered that User A is actually the one who created the public share link, while User B is the owner of the folder where the shared documents are stored.

However, what I still don’t understand is why these two log entries appear under both user accounts.
I would have expected the access to only show under User A (as the sharer) or User B (as the owner), but not both.

Do you know if this is expected behavior? Or could it be that Nextcloud logs the access under both for traceability?

Thanks again for your help!

4

I can’t tell you if this is expected.. check out if you find related docs.
it’s possible both records are required to show what exactly happened:

  • one to show the access the the share
  • another the effective file

maybe the second record reflects opening the file through rich documents app.. it is 3 sec apart so doesn’t look like exactly the sama ction.