Periodical not clear files access

Support intro

Sorry to hear you’re facing problems :slightly_frowning_face:

help.nextcloud.com is for home/non-enterprise users. If you’re running a business, paid support can be accessed via portal.nextcloud.com where we can ensure your business keeps running smoothly.

In order to help you as quickly as possible, before clicking Create Topic please provide as much of the below as you can. Feel free to use a pastebin service for logs, otherwise either indent short log examples with four spaces:

example

Or for longer, use three backticks above and below the code snippet:

longer
example
here

Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can :heart:

Nextcloud version (eg, 20.0.5): 22.2.5
Operating system and version (eg, Ubuntu 20.04): 20.04
Apache or nginx version (eg, Apache 2.4.25): 2.4.53
PHP version (eg, 7.4): 7.4.28

The issue you are facing:

Is this the first time you’ve seen this error? (Y/N): Y

Since 3 weeks I noticed that have dozen of activity in my own user (USER A) history about USER B accessed shared files via Browser…

Check web access logs and not find any access.
Check audit.log and find periodical - each 10 min access to the 1 folder /Notes and all files within.
Access only noticed to this folder, it is not shared. Whatever files will be put into it - will be accessed.
There is no IP address behind or User Agent, besides its version is the same as Nextcloud itself.
Check USER B Security settings - there is no active sessions, and no active sessions “last 10” min or so.
Check Nextlcoud logs - nothing related to this issue.
I find out that contacts were producing dozen of errors and disable it. But file access didn’t disappear. How to trace back this?

The output of your audit log:

{"reqId":"dtt240eRazxmsG2CCWKj","level":1,"time":"2022-04-16T14:10:03+00:00","remoteAddr":"","user":"USER B","app":"admin_audit","method":"","url":"--","message":"File accessed: \"/Notes/Test.txt\"","userAgent":"--","version":"22.2.5.1"}
{"reqId":"dtt240eRazxmsG2CCWKj","level":1,"time":"2022-04-16T14:10:03+00:00","remoteAddr":"","user":"USER B","app":"admin_audit","method":"","url":"--","message":"File accessed: \"/Notes/Versicherungsscheinnummer.txt\"","userAgent":"--","version":"22.2.5.1"}
{"reqId":"IR5ixU7ECCoo5qGqLkyr","level":1,"time":"2022-04-16T14:15:14+00:00","remoteAddr":"","user":"USER B","app":"admin_audit","method":"","url":"--","message":"File accessed: \"/Notes/Test.txt\"","userAgent":"--","version":"22.2.5.1"}
{"reqId":"IR5ixU7ECCoo5qGqLkyr","level":1,"time":"2022-04-16T14:15:14+00:00","remoteAddr":"","user":"USER B","app":"admin_audit","method":"","url":"--","message":"File accessed: \"/Notes/Versicherungsscheinnummer.txt\"","userAgent":"--","version":"22.2.5.1"}
{"reqId":"XjczrpG3RF0tPToqQhdN","level":1,"time":"2022-04-16T14:25:03+00:00","remoteAddr":"","user":"USER B","app":"admin_audit","method":"","url":"--","message":"File accessed: \"/Notes/Test.txt\"","userAgent":"--","version":"22.2.5.1"}
{"reqId":"XjczrpG3RF0tPToqQhdN","level":1,"time":"2022-04-16T14:25:03+00:00","remoteAddr":"","user":"USER B","app":"admin_audit","method":"","url":"--","message":"File accessed: \"/Notes/Versicherungsscheinnummer.txt\"","userAgent":"--","version":"22.2.5.1"}
{"reqId":"rXxBCNxxaiCQZXbL0lXa","level":1,"time":"2022-04-16T14:35:02+00:00","remoteAddr":"","user":"USER B","app":"admin_audit","method":"","url":"--","message":"File accessed: \"/Notes/Test.txt\"","userAgent":"--","version":"22.2.5.1"}
{"reqId":"rXxBCNxxaiCQZXbL0lXa","level":1,"time":"2022-04-16T14:35:03+00:00","remoteAddr":"","user":"USER B","app":"admin_audit","method":"","url":"--","message":"File accessed: \"/Notes/Versicherungsscheinnummer.txt\"","userAgent":"--","version":"22.2.5.1"}
{"reqId":"nEFSCJ5iPV8WOQ9ewGBS","level":1,"time":"2022-04-16T14:45:03+00:00","remoteAddr":"","user":"USER B","app":"admin_audit","method":"","url":"--","message":"File accessed: \"/Notes/Test.txt\"","userAgent":"--","version":"22.2.5.1"}
{"reqId":"nEFSCJ5iPV8WOQ9ewGBS","level":1,"time":"2022-04-16T14:45:03+00:00","remoteAddr":"","user":"USER B","app":"admin_audit","method":"","url":"--","message":"File accessed: \"/Notes/Versicherungsscheinnummer.txt\"","userAgent":"--","version":"22.2.5.1"}

List of apps and the output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

Enabled:
  - accessibility: 1.8.0
  - activity: 2.15.0
  - admin_audit: 1.12.0
  - audioplayer: 3.3.0
  - bookmarks: 10.2.1
  - bruteforcesettings: 2.3.0
  - calendar: 3.2.2
  - camerarawpreviews: 0.7.15
  - checksum: 1.1.3
  - cloud_federation_api: 1.5.0
  - comments: 1.12.0
  - contactsinteraction: 1.3.0
  - cospend: 1.4.6
  - dashboard: 7.2.0
  - data_request: 1.9.0
  - dav: 1.20.0
  - deck: 1.5.6
  - drawio: 1.0.2
  - external: 3.9.0
  - extract: 1.3.3
  - facerecognition: 0.9.1
  - federatedfilesharing: 1.12.0
  - files: 1.17.0
  - files_automatedtagging: 1.12.0
  - files_downloadactivity: 1.12.0
  - files_external: 1.13.1
  - files_mindmap: 0.0.26
  - files_pdfviewer: 2.3.1
  - files_retention: 1.11.1
  - files_rightclick: 1.1.0
  - files_sharing: 1.14.0
  - files_trashbin: 1.12.0
  - files_versions: 1.15.0
  - files_videoplayer: 1.11.0
  - firstrunwizard: 2.11.0
  - forms: 2.4.0
  - gpxedit: 0.0.14
  - gpxpod: 4.3.0
  - integration_discourse: 1.0.2
  - integration_github: 1.0.2
  - integration_gitlab: 1.0.3
  - keeweb: 0.6.8
  - logreader: 2.7.0
  - lookup_server_connector: 1.10.0
  - mail: 1.11.7
  - maps: 0.1.10
  - news: 18.0.0
  - nextcloud_announcements: 1.11.0
  - notes: 4.3.1
  - notifications: 2.10.1
  - oauth2: 1.10.0
  - ocdownloader: 1.8.0
  - password_policy: 1.12.0
  - phonetrack: 0.7.0
  - photos: 1.4.0
  - polls: 3.5.4
  - previewgenerator: 4.0.0
  - privacy: 1.6.0
  - provisioning_api: 1.12.0
  - recommendations: 1.1.0
  - serverinfo: 1.12.0
  - settings: 1.4.0
  - sharebymail: 1.12.0
  - side_menu: 2.3.4
  - spreed: 12.2.4
  - support: 1.5.0
  - survey_client: 1.10.0
  - systemtags: 1.12.0
  - text: 3.3.0
  - theming: 1.13.0
  - transmission: 0.7.2
  - twofactor_backupcodes: 1.11.0
  - twofactor_totp: 6.2.0
  - unsplash: 1.2.4
  - updatenotification: 1.12.0
  - user_status: 1.2.0
  - video_converter: 1.0.4
  - viewer: 1.6.0
  - weather_status: 1.2.0
  - workflowengine: 2.4.0
Disabled:
  - circles: 22.1.1
  - contacts: 4.1.0
  - encryption
  - federation: 1.10.1
  - files_accesscontrol: 1.12.1
  - flowupload: 1.1.3
  - gpxmotion: 0.1.0
  - impersonate: 1.9.0
  - integration_jira: 1.0.2
  - radio: 1.0.3
  - recognize: 1.11.0
  - user_ldap
  - weather: 1.7.6
{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            ""***REMOVED SENSITIVE VALUE***",
            ""***REMOVED SENSITIVE VALUE***",
            ""***REMOVED SENSITIVE VALUE***"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "overwrite.cli.url": ""***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "22.2.5.1",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "filesystem_check_changes": 0,
        "filelocking.enabled": true,
        "memcache.local": "\\OC\\Memcache\\APCu",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 0,
            "timeout": 1.5
        },
        "default_phone_region": "DE",
        "mail_smtpmode": "smtp",
        "mail_smtpauthtype": "LOGIN",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "maintenance": false,
        "theme": "",
        "logfile": "\/var\/nextcloud\/data\/nextcloud.log",
        "loglevel": 1,
        "trashbin_retention_obligation": "14, auto",
        "versions_retention_obligation": "14, auto",
        "data-fingerprint": "7be51475e95ea13b254cd880319d98ec",
        "enable_previews": true,
        "enabledPreviewProviders": [
            "OC\\Preview\\PNG",
            "OC\\Preview\\JPEG",
            "OC\\Preview\\GIF",
            "OC\\Preview\\BMP",
            "OC\\Preview\\XBitmap",
            "OC\\Preview\\Movie",
            "OC\\Preview\\PDF",
            "OC\\Preview\\MP3",
            "OC\\Preview\\TXT",
            "OC\\Preview\\MarkDown"
        ],
        "preview_max_x": 1920,
        "preview_max_y": 1080,
        "jpeg_quality": 90,
        "auth.bruteforce.protection.enabled": true,
        "simpleSignUpLink.shown": false,
        "mail_sendmailmode": "smtp",
        "mail_smtpsecure": "tls",
        "mail_smtpauth": 1,
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "587",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "twofactor_enforced": true,
        "twofactor_enforced_groups": [
            "admin"
        ],
        "twofactor_enforced_excluded_groups": [],
        "has_rebuilt_cache": true,
        "updater.release.channel": "stable",
        "app_install_overwrite": [
            "transmission"
        ]
    }
}

The output of your Apache/nginx/system log in /var/log/____:

Nothing related