Hi,
I install and try impersonate apps. When I test ,as an admin user, with a user , User1, I saw that audit log didn’t have a record about impersonation action. All activites about test user. Logs shown below. As you see seems like user doing something, not doing by usiing User1. I think this is a audit gap.
Regards,
{“reqId”:“YCUfxPLRABOwixXUdY1zBgAAAAc”,“level”:1,“time”:“11.02.2021, 12:15:00”,“remoteAddr”:“10.251.15.100”,“user”:“User1”,“app”:“admin_audit”,“method”:“GET”,“url”:“/nextcloud/index.php/core/preview?fileId=493&x=1920&y=1080&a=true”,“message”:“Preview accessed: "/Nextcloud.png" (width: "1920", height: "1080" crop: "", mode: "fill")”,“userAgent”:“Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36”,“version”:“20.0.7.1”}
{“reqId”:“YCUfxFTZ4Y5@x1f3H4EfzgAAAAU”,“level”:1,“time”:“11.02.2021, 12:15:00”,“remoteAddr”:“10.251.15.100”,“user”:"User1",“app”:“admin_audit”,“method”:“GET”,“url”:“/nextcloud/remote.php/dav/files/User1/Nextcloud%20intro.mp4”,“message”:“File accessed: "/Nextcloud intro.mp4"”,“userAgent”:“Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36”,“version”:“20.0.7.1”}
{“reqId”:“YCUfxXpEs4EkfEhZ6EWuQAAAAAk”,“level”:1,“time”:“11.02.2021, 12:15:01”,“remoteAddr”:“10.251.15.100”,“user”:“User1”,“app”:“admin_audit”,“method”:“GET”,“url”:“/nextcloud/remote.php/dav/files/User1/Nextcloud%20intro.mp4”,“message”:“File accessed: "/Nextcloud intro.mp4"”,“userAgent”:“Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36”,“version”:“20.0.7.1”}