The audit.log is, as the nextcloud.log in json format.
The great thing about json is its filterability. The command-line JSON processor jq is needed for this.
Here some examples:
Follow the audit.log in a compact format, beginning with the last 100 lines:
tail -Fn 100 /path/to/audit.log | jq -r '[.time, .remoteAddr, .user, .method, .url, .message, .userAgent] | join(" - ")'
tail -F /path/to/audit.log | jq -r 'select(.message | test("Login|Logout")) | [.time, .remoteAddr, .user, .method, .url, .message, .userAgent] | join(" - ")'
All messages but console commands:
tail -F /path/to/audit.log | jq -r 'select(.message | test("Console command executed") | not) | [.time, .remoteAddr, .user, .method, .url, .message, .userAgent] | join(" - ")'
The filter posabilities are endless.
Instead of tail -F to follow the logentries live or for a certain amount of last lines tail -n $number_of_lines, you can do
jq ‘filter code’ /path/to/audit.log
to filter the complete logfile.
You can ask me here, for further filters.
Much luck,
ernolf