Seeing Successful Logins

I have recently installed Nextcloud for a small group. I would like to be able to log the successful logins as well as failed logins.

I saw an older post (How to log successful logins) that says the “Auditing/Logging” app should provide this feature but I have that app enabled (as per default settings) and I also changed the nextcloud/config/config.php file loglevel to 1 and also tried it at 0 for debug level, but it did not log the successful logins.

I have my nextcloud logs in a file /var/nc_data/nextcloud.log

Is there something else that I need to enable or change in the configuration to be able to get the successful logins and other data such as how long logged in, etc.?

Thank you in advance

Nextcloud version 16.0.1
Operating system and version Ubuntu 18.04
Apache or nginx version - nginx 1.17.0
PHP version 7.3.6-1

Check this out: “Harden Nextcloud with Fail2Ban, GUI and WebDAV - Ubuntu 18.04”

Pattern in Logs for failed Logins is ..."message":"Login failed:...

Pattern For GUI:

{"reqId":"bFnTdevf7ZdCMQ5ddmNl","level":2,"time":"2019-04-03T21:49:30+00:00","remoteAddr":"10.11.12.13","user":"--","app":"core","method":"POST","url":"\/index.php\/login","message":"Login failed: 'Tralololjlkl' (Remote IP: '10.11.12.13')","userAgent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:66.0) Gecko\/20100101 Firefox\/66.0","version":"15.0.5.3"}

For WebDav:

{"reqId":"Q4wX3I4LOUeuMV4wRK91","level":2,"time":"2019-04-03T22:14:11+00:00","remoteAddr":"10.11.12.13","user":"--","app":"core","method":"GET","url":"\/remote.php\/dav\/files","message":"Login failed: 'test' (Remote IP: '10.11.12.13')","userAgent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:66.0) Gecko\/20100101 Firefox\/66.0","version":"15.0.5.3"

You are right, it will not be logged in logs.

@gas85 thank you for your reply.

Are you saying there is no way to see successful logins?

I am already able to see the failed logins.

I want to be able to see the successful logins and it appears the program has done that in the past. Is there a way to still do that with the current version?

At least I did not found how. Only what I can see requests already after login, but it does not give you any information if user just logged in, or did used previously open session.
I believe you can try to enable

and check audit.log afterwards under your data folder.

Since v14, failed logins are logged in nextcloud.log and successful logins are logged in audit.log.
Except for not looking in the audit.log file, you’ve probably done everything else correctly. If in doubt, the installation guide for the “Splunk App for Nextcloud” contains the steps necessary to configure Nextcloud to log both. You can access it here:
https://intranet.graabek.com/cloud/index.php/s/Lc9oXkaWNmQHBqG

Just read page 4 only as the rest is about how to get a Splunk server up and running to monitor a Nextcloud server once it (the Nextcloud server) has been configured to log correctly.

Thank you @gas85 and @Rickenbacker for the additional information.

I am seeing the successful logins in the audit.log file

Are there any easy methods for being able to see how long someone is logged in and what they did while logged in - such as upload or download a file or have a conversation in the Talk app?

You can also configure admin_audit application to use the same log file:
occ config:app:set --value '/path/to/datas/nextcloud.log' admin_audit logfile

In order to find users activity, you can combine flow from activity app and webserver logfile.

It’s not as simple

@J-Doc thank you for the reply.

Is there more detailed instructions of how to get the user’s activity combined with webserver logfiles on Nextcloud’s site or any other site?

Or do you have any detailed step by step instructions of how to do this?

One thing I am also interested in being able to determine is when a user starts a Talk conversation; when and how many other people join the conversation and how long the conversation is.

I’m using an ELK stack with Filebeat for log files retrieving and getting metrics. I don’t know anything about Talk and it’s logging capabilities. Sorry

@J-Doc

I am fairly new to ELK stack and Filebeat. I have set up ELK stack and Filebeat on the same server that I have installed NextCloud.

Would you be so kind as to share your configuration settings you have used to bring in your Nextcloud logs into ELK and Filebeat?

Have you created custom visualizations or dashboards for your Nextcloud data or did you import them from some other source?

Actuel filebeat.yml for my NC logs (it’s still in dev, too much things to do elsewhere)

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /path/to/datas/datas/nextcloud.log
  json.add_error_key: true
  json.message_key: message

filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: true

setup.template.settings:
  index.number_of_shards: 3

setup.kibana:
  host: "http://your.kibana.server:5601"

output.elasticsearch:
  hosts: ["http://your.es.server:9200"]
  username: "xxxxxxxxxx"
  password: "xxxxxxxxxx"

processors:
  - add_host_metadata: ~
  - add_cloud_metadata: ~
  - rename:
      fields:
        - from: "json.url"
          to: "url.path"
        - from: "json.message"
          to: "message"
        - from: "json.userAgent"
          to: "user_agent.original"
        - from: "json.time"
          to: "event.created"
      when:
        has_fields: ["json.userAgent"]
      ignore_missing: true
      fail_on_error: false

For custom viz & dashboard it’s still in heavy dev, sorry

It is certainly possible to see what they did and when they did it, but for how long is more challenging.
The what and when can be answered by the “Splunk App for Nextcloud”. You can see some sample dashboards here:
https://splunkbase.splunk.com/app/3398/

It does not (yet) report on anything to do with the Talk app.

The file from J-Doc was a good start for me.
I added a few things to it GitHub - marcohald/filebeat-nextcloud
I thought i post it here because this Thread is very high listed in my Google Search