Impersonate activity not showing in audit log

Hi,
I install and try impersonate apps. When I test ,as an admin user, with a user , User1, I saw that audit log didn’t have a record about impersonation action. All activites about test user. Logs shown below. As you see seems like user doing something, not doing by usiing User1. I think this is a audit gap.
Regards,

{“reqId”:“YCUfxPLRABOwixXUdY1zBgAAAAc”,“level”:1,“time”:“11.02.2021, 12:15:00”,“remoteAddr”:“10.251.15.100”,“user”:“User1”,“app”:“admin_audit”,“method”:“GET”,“url”:"/nextcloud/index.php/core/preview?fileId=493&x=1920&y=1080&a=true",“message”:“Preview accessed: “/Nextcloud.png” (width: “1920”, height: “1080” crop: “”, mode: “fill”)”,“userAgent”:“Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36”,“version”:“20.0.7.1”}

{“reqId”:“YCUfxFTZ4Y5@x1f3H4EfzgAAAAU”,“level”:1,“time”:“11.02.2021, 12:15:00”,“remoteAddr”:“10.251.15.100”,“user”:"User1",“app”:“admin_audit”,“method”:“GET”,“url”:"/nextcloud/remote.php/dav/files/User1/Nextcloud%20intro.mp4",“message”:"File accessed: “/Nextcloud intro.mp4"”,“userAgent”:“Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36”,“version”:“20.0.7.1”}

{“reqId”:“YCUfxXpEs4EkfEhZ6EWuQAAAAAk”,“level”:1,“time”:“11.02.2021, 12:15:01”,“remoteAddr”:“10.251.15.100”,“user”:“User1”,“app”:“admin_audit”,“method”:“GET”,“url”:"/nextcloud/remote.php/dav/files/User1/Nextcloud%20intro.mp4",“message”:"File accessed: “/Nextcloud intro.mp4"”,“userAgent”:“Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36”,“version”:“20.0.7.1”}

Afaik, the app works as expected and described. You will find an information about a person caling the impersonate function at least in the main log file:

{"reqId":"mKiWyLkDoaVsyvS0sGOY","level":2,"time":"2021-02-11 14:50:24+01:00","remoteAddr":"192.168.0.100","user":"tom","app":"impersonate","methd":"POST","url":"/index.phprsonate/user","message":"User tom trying to impersonate user marry","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0","version":"20.0.7.1"}
{"reqId":"mKiWyLkDoaVsyvS0sGOY","level":2,"time":"2021-02-11 14:50:24+01:00","remoteAddr":"192.168.0.100","user":"tom","app":"impersonate","method":"POST","url":"/index.phprsonate/user","message":"Changing to user marry","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0","version":"20.0.7.1"}

Note:

  • While impersonate actions are logged note that actions performed impersonated will be logged as the impersonated user.
1 Like

Thank you for your quick answer. Yes, you right, I didn’t think to look at nextcloud.log. But, in an audit case for user, we look audit.log right? It is an Because if I was an auditor and examined what user do, I looked at audit.log. those impersonate logs place in audit.log looks more tidy. In my opinion at leasr :slight_smile:
Anyway, it is a knowledge for me. In a case, I will look at owncloud.log.
Regards,

You can always create a feature request in the Impersonate app repository to get this activity logged to the audit.log too :wink: