Is there any admin_audit parameter to filter or limit events to be logged?

gonzalo.cao · March 16, 2023, 1:27pm

I’ve properly enabled admin_audit app and configured both logfile and logfile_audit to have sepparated app logs (just for errors) and audit logs (for user, files events)

  'loglevel' => 3,
  'log_type' => 'file',
  'logfile' => '/var/www/nextcloud/data/nextcloud.log',
  'log_type_audit' => 'file',
  'logfile_audit' => '/var/www/nextcloud/data/audit.log',
  'log.condition' => [
        'apps' => ['admin_audit'],
  ],

I’m just a bit annoyed about the huge amount of events that are recorded by audit log (for example, every preview, new folder). As I have the activity app enabled, is there any config parameter to filter the events that can be recorded? For example, just user login/logouts.

— EDIT POST-SOLUTION —
Despite I’ve marked as solution the post that exactly matches the topic of the question, perhaps you should review the alterative parsing the logs with jq instead of modifying the app source code. Anyway thanks to @ernolf for his kindly help.

wwe · March 16, 2023, 8:35pm

I don’t think there is a way to filter specific events for audit log - usually you want to have as many data in audit log as possible. I think best is to limit the events in you post-process task - e.g. it’s more or less easy to filter json input like audit.log with jq command.

ernolf · October 24, 2023, 10:58am

The audit.log is, as the nextcloud.log in json format.

The great thing about json is its filterability. The command-line JSON processor jq is needed for this.

Here some examples:

Follow the audit.log in a compact format, beginning with the last 100 lines:

tail -Fn 100 /path/to/audit.log | jq -r '[.time, .remoteAddr, .user, .method, .url, .message, .userAgent] | join(" - ")'"

tail -F /path/to/audit.log | jq -r 'select(.message | test("Login|Logout")) | [.time, .remoteAddr, .user, .method, .url, .message, .userAgent] | join(" - ")'

All messages but console commands:

tail -F /path/to/audit.log | jq -r 'select(.message | test("Console command executed") | not) | [.time, .remoteAddr, .user, .method, .url, .message, .userAgent] | join(" - ")'

The filter posabilities are endless.

Instead of tail -F to follow the logentries live or for a certain amount of last lines tail -n $number_of_lines, you can do

jq ‘filter code’ /path/to/audit.log

to filter the complete logfile.

You can ask me here, for further filters.

Much luck,
ernolf

gonzalo.cao · October 24, 2023, 11:37am

Good advice @ernolf . In fact, I’m using a modified version of this script https://github.com/GAS85/nextcloud_scripts/blob/master/nextcloud-auditlog.sh to do exactly that, having some summaries.

My first question regards on the possibility of limiting the number of logs collected, but as far as I read this is not possible from the source. Just can be done later.

ernolf · October 24, 2023, 11:47am

The script makes it unnecessarily complicated. Obviously the author of that script has no knowledge of the jq filter tool.

It is possible. I can explain, if you want, but:
it is not needed, since easy to filter.

Much luck,
ernolf

gonzalo.cao · October 24, 2023, 12:35pm

I didn’t give too much effort at this topic as in a close future our logs probably will be collected in some kind of logs collector and there are some other options for this. But you’re right, this script is unnecessarily complicated except that it does what I needed at certain point. Currently, we’re archiving periodically those logs and will be parsed if necessary with some other tool.

But, if you don’t mind, I would like to know how can I select which kind of events can be filtered from teh source perspective to avoid collecting huge amounts of logs. Do you mean that can parsered during generation (from nextcloud options) or postgenerated?

ernolf · October 24, 2023, 1:15pm

You have to edit the sourcecode, and comment out the Actions you do not want to activate:

You find the Actions in the folder
apps/admin_audit/lib/Actions/

Those Actions are included to the app by the file

apps/admin_audit/lib/AppInfo/Application.php
this way:

use OCA\AdminAudit\Actions\AppManagement;
use OCA\AdminAudit\Actions\Auth;
use OCA\AdminAudit\Actions\Console;
use OCA\AdminAudit\Actions\Files;
use OCA\AdminAudit\Actions\GroupManagement;
use OCA\AdminAudit\Actions\Security;
use OCA\AdminAudit\Actions\Sharing;
use OCA\AdminAudit\Actions\Trashbin;
use OCA\AdminAudit\Actions\UserManagement;
use OCA\AdminAudit\Actions\Versions;

So if you do not want to collect messages from a certain action, you can simply coment it out in this file.

Here again the example if you are only interested in the login- and logout-messages:

//use OCA\AdminAudit\Actions\AppManagement;
use OCA\AdminAudit\Actions\Auth;
//use OCA\AdminAudit\Actions\Console;
//use OCA\AdminAudit\Actions\Files;
//use OCA\AdminAudit\Actions\GroupManagement;
//use OCA\AdminAudit\Actions\Security;
//use OCA\AdminAudit\Actions\Sharing;
//use OCA\AdminAudit\Actions\Trashbin;
//use OCA\AdminAudit\Actions\UserManagement;
//use OCA\AdminAudit\Actions\Versions;

You do not need to restart anything, it works from the moment you store those changes.
After an update, you have to make those changes again.

If you get complaints about integrity, simply reset everything to default and run

./occ integrity:check-app admin_audit

After you have done that, you can make the changes again.

If you do not want to tampere the code, you must live with filters.

Much luck,
ernolf

gonzalo.cao · October 25, 2023, 8:02am

Thanks for your help, this is double interesting to understand also how this app works. I will keep in mind and do some testing.