Log files for docker container?

xokia · November 17, 2023, 5:54am

Running Nextcloud 27.1.3 on unraid 6.12.4 I am using swag as the reverse proxy.

I am trying to configure fail2ban and am unable to find any log where the access failure is kept. I can see the IP address get logged. But in the Below logfile I made 2 access attempts. I purposefully failed attempt and 1 passing attempt. I see no difference in the log

/mnt/user/appdata/nextcloud/log/nginx/access.log

37.120.155.26 - - [16/Nov/2023:13:12:53 -0800] "GET / HTTP/1.1" 302 5 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
37.120.155.26 - - [16/Nov/2023:13:12:54 -0800] "GET /login HTTP/1.1" 200 5939 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
37.120.155.26 - - [16/Nov/2023:13:12:54 -0800] "GET /core/js/oc.js?v=202a87b9 HTTP/1.1" 200 3940 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
37.120.155.26 - - [16/Nov/2023:13:12:55 -0800] "GET /apps/theming/theme/default.css?plain=1&v=356a192b HTTP/1.1" 200 1032 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
37.120.155.26 - - [16/Nov/2023:13:12:55 -0800] "GET /apps/theming/theme/light.css?plain=1&v=356a192b HTTP/1.1" 200 1032 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
37.120.155.26 - - [16/Nov/2023:13:12:55 -0800] "GET /apps/theming/manifest?v=356a192b HTTP/1.1" 200 246 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
37.120.155.26 - - [16/Nov/2023:13:12:55 -0800] "GET /apps/theming/theme/dark.css?plain=0&v=356a192b HTTP/1.1" 200 1054 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
37.120.155.26 - - [16/Nov/2023:13:12:55 -0800] "GET /apps/theming/theme/light.css?plain=0&v=356a192b HTTP/1.1" 200 1052 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
37.120.155.26 - - [16/Nov/2023:13:12:55 -0800] "GET /apps/theming/theme/light-highcontrast.css?plain=0&v=356a192b HTTP/1.1" 200 1117 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
37.120.155.26 - - [16/Nov/2023:13:12:55 -0800] "GET /apps/theming/theme/dark-highcontrast.css?plain=0&v=356a192b HTTP/1.1" 200 1147 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
37.120.155.26 - - [16/Nov/2023:13:12:55 -0800] "GET /apps/theming/theme/opendyslexic.css?plain=0&v=356a192b HTTP/1.1" 200 343 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
37.120.155.26 - - [16/Nov/2023:13:12:55 -0800] "GET /apps/theming/theme/dark.css?plain=1&v=356a192b HTTP/1.1" 200 1033 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
37.120.155.26 - - [16/Nov/2023:13:12:56 -0800] "GET /apps/theming/theme/light-highcontrast.css?plain=1&v=356a192b HTTP/1.1" 200 1095 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
37.120.155.26 - - [16/Nov/2023:13:12:56 -0800] "GET /apps/theming/theme/dark-highcontrast.css?plain=1&v=356a192b HTTP/1.1" 200 1124 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
37.120.155.26 - - [16/Nov/2023:13:13:10 -0800] "POST /login HTTP/1.1" 303 0 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
37.120.155.26 - - [16/Nov/2023:13:13:10 -0800] "GET /login?direct=1&user=mike HTTP/1.1" 200 5986 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
37.120.155.26 - - [16/Nov/2023:13:13:11 -0800] "GET /core/js/oc.js?v=202a87b9 HTTP/1.1" 200 3940 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
37.120.155.26 - - [16/Nov/2023:13:22:19 -0800] "POST /login HTTP/1.1" 303 0 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
37.120.155.26 - - [16/Nov/2023:13:22:19 -0800] "GET /apps/dashboard/ HTTP/1.1" 200 11137 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
37.120.155.26 - - [16/Nov/2023:13:22:20 -0800] "GET /core/js/oc.js?v=202a87b9 HTTP/1.1" 200 4009 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
37.120.155.26 - - [16/Nov/2023:13:22:20 -0800] "GET /apps/theming/theme/default.css?plain=1&v=8eedf427 HTTP/1.1" 200 1032 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
37.120.155.26 - - [16/Nov/2023:13:22:20 -0800] "GET /apps/theming/theme/light.css?plain=0&v=8eedf427 HTTP/1.1" 200 1052 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
37.120.155.26 - - [16/Nov/2023:13:22:20 -0800] "GET /apps/theming/theme/light-highcontrast.css?plain=0&v=8eedf427 HTTP/1.1" 200 1117 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
37.120.155.26 - - [16/Nov/2023:13:22:20 -0800] "GET /apps/theming/theme/light.css?plain=1&v=8eedf427 HTTP/1.1" 200 1032 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
37.120.155.26 - - [16/Nov/2023:13:22:20 -0800] "GET /apps/theming/theme/dark.css?plain=0&v=8eedf427 HTTP/1.1" 200 1054 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
37.120.155.26 - - [16/Nov/2023:13:22:20 -0800] "GET /apps/theming/theme/opendyslexic.css?plain=0&v=8eedf427 HTTP/1.1" 200 343 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
37.120.155.26 - - [16/Nov/2023:13:22:20 -0800] "GET /apps/theming/theme/dark-highcontrast.css?plain=0&v=8eedf427 HTTP/1.1" 200 1147 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
37.120.155.26 - - [16/Nov/2023:13:22:21 -0800] "GET /apps/theming/theme/dark.css?plain=1&v=8eedf427 HTTP/1.1" 200 1033 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
37.120.155.26 - - [16/Nov/2023:13:22:21 -0800] "GET /apps/theming/theme/light-highcontrast.css?plain=1&v=8eedf427 HTTP/1.1" 200 1095 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
37.120.155.26 - - [16/Nov/2023:13:22:22 -0800] "GET /apps/theming/manifest/dashboard?v=8eedf427 HTTP/1.1" 200 252 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
37.120.155.26 - - [16/Nov/2023:13:22:22 -0800] "GET /ocs/v2.php/apps/dashboard/api/v1/widgets HTTP/1.1" 200 638 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
37.120.155.26 - - [16/Nov/2023:13:22:22 -0800] "GET /ocs/v2.php/search/providers?from=%2Fapps%2Fdashboard%2F HTTP/1.1" 200 293 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
37.120.155.26 - - [16/Nov/2023:13:22:22 -0800] "GET /apps/theming/theme/dark-highcontrast.css?plain=1&v=8eedf427 HTTP/1.1" 200 1124 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
37.120.155.26 - - [16/Nov/2023:13:22:22 -0800] "GET /ocs/v2.php/apps/dashboard/api/v2/widget-items?widgets%5B%5D=user_status HTTP/1.1" 200 140 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
37.120.155.26 - - [16/Nov/2023:13:22:22 -0800] "GET /ocs/v2.php/apps/dashboard/api/v2/widget-items?widgets%5B%5D=mail-unread HTTP/1.1" 200 141 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
37.120.155.26 - - [16/Nov/2023:13:22:22 -0800] "GET /ocs/v2.php/apps/dashboard/api/v2/widget-items?widgets%5B%5D=activity HTTP/1.1" 200 264 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
37.120.155.26 - - [16/Nov/2023:13:22:22 -0800] "PUT /ocs/v2.php/apps/user_status/api/v1/heartbeat?format=json HTTP/1.1" 200 149 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
37.120.155.26 - - [16/Nov/2023:13:22:22 -0800] "GET /ocs/v2.php/apps/spreed/api/v4/room HTTP/1.1" 200 809 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
37.120.155.26 - - [16/Nov/2023:13:22:22 -0800] "GET /ocs/v2.php/apps/user_status/api/v1/statuses/mike HTTP/1.1" 200 119 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
37.120.155.26 - - [16/Nov/2023:13:22:22 -0800] "GET /ocs/v2.php/apps/weather_status/api/v1/location HTTP/1.1" 200 145 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
37.120.155.26 - - [16/Nov/2023:13:22:22 -0800] "GET /ocs/v2.php/apps/dashboard/api/v2/widget-items?widgets%5B%5D=mail HTTP/1.1" 200 135 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
37.120.155.26 - - [16/Nov/2023:13:22:22 -0800] "GET /ocs/v2.php/apps/dashboard/api/v2/widget-items?widgets%5B%5D=calendar HTTP/1.1" 200 139 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
37.120.155.26 - - [16/Nov/2023:13:22:22 -0800] "PUT /ocs/v2.php/apps/user_status/api/v1/heartbeat?format=json HTTP/1.1" 200 149 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
37.120.155.26 - - [16/Nov/2023:13:22:22 -0800] "GET /ocs/v2.php/apps/dashboard/api/v2/widget-items?widgets%5B%5D=recommendations HTTP/1.1" 200 569 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
37.120.155.26 - - [16/Nov/2023:13:22:23 -0800] "GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1" 200 81 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
37.120.155.26 - - [16/Nov/2023:13:22:23 -0800] "GET /avatar/xxx/512?v=1 HTTP/1.1" 200 6157 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
37.120.155.26 - - [16/Nov/2023:13:22:23 -0800] "GET /ocs/v2.php

my /data/nextcloud.log contains nothing about the login attempt

gas85 · November 17, 2023, 11:23am

Thats strange, I still have NC 26, but can see info in a logs:

{"reqId":"QXZ9Ep6pPU8RzTm32W7X","level":2,"time":"2023-11-17T11:21:49+00:00","remoteAddr":"256.256.256.256","user":"--","app":"no app in context","method":"POST","url":"/index.php/login","message":"Login failed: sdfdsfds (Remote IP:256.256.256.256)","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0","version":"26.0.8.2","data":[]}

How about other info? Does logs works at all?

vapaa · November 17, 2023, 12:33pm

To configure Fail2Ban with Nextcloud and find the logs where access failures are kept, you typically need to look at the Nextcloud log file, which is often located in the Nextcloud data directory. The default location for this directory is usually /var/www/nextcloud/data, but it can vary depending on your installation, especially if you’re using Docker or have a custom setup like Unraid.

Here are the steps to locate the Nextcloud log file and configure Fail2Ban:

Locate the Nextcloud Log File:

Check your Nextcloud config.php file for the 'datadirectory' value, which specifies where your data directory is located.
Inside the data directory, look for nextcloud.log. This file contains the logs for Nextcloud, including access failures.

Configure Fail2Ban:

Create a Fail2Ban filter for Nextcloud in /etc/fail2ban/filter.d/nextcloud.conf with the appropriate regex to match failed login attempts.
Add a jail configuration for Nextcloud in /etc/fail2ban/jail.local that references the filter you created and specifies the log path.

Here is an example of what the filter and jail configurations might look like:

/etc/fail2ban/filter.d/nextcloud.conf:

[Definition]
failregex=^{"reqId":".*","level":2,"time":".*","remoteAddr":"<HOST>","user":".*","app":"core","method":"POST","url":"\/login","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)",.*}$
ignoreregex =

/etc/fail2ban/jail.local:

[nextcloud]
enabled = true
port    = http,https
filter  = nextcloud
logpath = /var/www/nextcloud/data/nextcloud.log
maxretry = 3

Please note that the paths and configurations may need to be adjusted based on your specific setup. The log path should point to the actual location of your nextcloud.log file.

Restart Fail2Ban:

After making changes to the configuration, restart Fail2Ban to apply them:

sudo systemctl restart fail2ban

Verify Operation:

Check the status of the Nextcloud jail to ensure it’s active and monitoring the log file:

sudo fail2ban-client status nextcloud

Check for Fail2Ban Actions:
You can check the Fail2Ban log at /var/log/fail2ban.log to see if any bans have been enacted based on the Nextcloud log.

Remember to replace the log path in the Fail2Ban configuration with the actual path to your Nextcloud log file. If you’re using Docker or Unraid, you may need to adjust the path accordingly or ensure that the log file is accessible to the Fail2Ban service running on the host system.

xokia · November 17, 2023, 7:16pm

/mnt/user/appdata/nextcloud/www/nextcloud/config/config.php

$CONFIG = array (
  'datadirectory' => '/data',
.
.
.
.
  'maintenance' => false,
  'tempdirectory' => '/nextcloud_tmp',
  'theme' => '',
  'loglevel' => 2,
  'log_type' => 'file',
  'logfile' => 'nextcloud.log',

I moved my general log file to /data/nextcloud.log

However nothing in here shows a failed access. Do I need to change the loglevel?

xokia · November 18, 2023, 2:57am

actually looks like my nextcloud.log file stopped working not sure why.

I used truncate /data/nextcloud.log --size=0 and now nothing logs to it
however if I change loglevel to 0 I get debug logs and only debug logs in my logfile

root@88ecb2f1ef01:/# ls -l /data/nextcloud.log
-rwxrwxrwx 1 abc abc 0 Nov 17 18:18 /data/nextcloud.log

edit
/app/www/public/nextcloud.log

WTF???

it created its own log file and is ignoring what’s in
/mnt/user/appdata/nextcloud/www/nextcloud/config/config.php

Can anyone explain that?

xokia · November 18, 2023, 6:05am

got it working

I used the following for /etc/fail2ban/filter.d/nextcloud.conf

[Definition]
_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
            ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"

Thanks for the help