I have tried w, who and last and I only get my own IP-adress even though I know there are more active users.
Is it possible to find out if a non-user is logged in to the server, ie if it has been hacked?
I have NC16.0.5 nginx
In my Experience the best way for this task is to use serverlog files of your webserver not harming Nextcloud with this. I am using Matomo with direct logfile import on another server. Works pretty good and sends me predefined alarms e.g. if someone connects from outside of EU.
But i am sure there is better software and log-analysis software out there.
OK. What do you mean with “direct logfile import on another server”? Do you set up a server on its own for Matomo? I could do that on a NAS. Can you give more details how you did it?
In Matomo you have several possibilities to track users (tracking script, blindpixel, logfiles). The Nextcloud Matomo App uses a script for instance. But only direct import of server logfiles is the mildest form of tracking regarding data protection and of course in getting valid numbers.
So yes, I have a Matomo Server running on another server. Via cronjob & rsync all logfiles are pushed from the Nextcloud Server and all Application Servers, Webservers etc. of mine.
One of the dashboards of the Splunk App for Nextcloud will give you information about who logged in, when and from where.
https://splunkbase.splunk.com/app/3398/
However, it is a challenge to define what constitutes a “currently logged in user”. The Nextcloud log files (which the Splunk app analyses") do tell you when someone logs in or out. But if someone just closes their browser there is no way to see if they still have a valid session or not.
Thanks a lot. Splunk seems a good alternative.
Just now I want to find out manually about the individuals that have logged in. However it is not clear to me what log-files to use.
According to the Splunk documentation "Nextcloud writes log entries for successful logins in the audit.log whereas log entries for failed logins are written to Nextcloud.log
In my installation the /var/nc_data/audit .log is empty - no entries at all.
I get the impression that the entries in /var/nc_data/nextcloud.log may include failed registrations but there are certainly also non-failed entries. I may have misunderstood the Splunk documentation.
I wonder about other log-files. I found entries that seems useful in /var/log/nginx/nextcloud.access.log What is the difference between this and the /var/nc_data/nextcloud.log?
And I wonder why the w, who and last commands only gives me my own IP-adress although I know other users from other IP-adresses are logged in to Nextcloud. But maybe these commands only gives those who have accessed the server through ssh?