The Admin Audit App

Introduction

The Admin Audit app is an auditing module for ownCloud to trace the actions of users and administrators.

Configuration

The following configuration is required, in "config.php", to redirect audit messages into a log file.

'log.conditions' => [
  [
    'apps' => ['admin_audit'],
    // Adjust the path below, to match your setup
    'logfile' => '/var/www/owncloud/data/admin_audit.log'
  ]
]

Please note that the target path must be writeable for the webserver user. All messages, regardless of log level, will be logged there. To ignore all CLI triggered events (not the default), you can set the following option:

sudo -u www-data php occ  config:app:set admin_audit ignore_cli_events --value='yes'

Grouped Logging

With each log message, several users are calculated to be the 'audit context'. This is the list of users which are related to the log message. Additionally, each log message includes a list of groups that the users are a member of, to enable filtering and splitting of the log messages at a later date. In cases when users are members of many groups, to reduce the data output, the group list can be filtered using the following config option:

'admin_audit.groups' => [
  'group1',
  'group2'
]

When the filter is configured, only the filtered list of groups will be output in auditGroups, else, all groups that the auditUsers are a member of are output.

Connect with Splunk Cloud

Splunk captures, indexes, and correlates real-time data in a searchable repository from which it can generate graphs, reports, alerts, dashboards, and visualizations.
— https://en.wikipedia.org/wiki/Splunk
Wikipedia

To connect ownCloud with Splunk Cloud, you need to carry out the steps below:

  1. Install the Splunk Universal Forwarder

    You can find the system requirements for installing Splunk in the Splunk documentation.

  2. Connect your local forwarder to your Splunk Cloud instance You can do this by running the following command:

    # Change the URL to match your setup
splunk set deploy-poll input-prd-your-server-here.cloud.splunk.com:8089

  3. Install the Splunk Cloud credentials You can do this by running the following command:

    # Change the path and admin setting to match your setup
splunk install app path/to/splunkclouduf.spl -auth admin:changeme

  4. Set the ownCloud audit log to be monitored by Splunk You can do this by adding the following configuration to inputs.conf:

    # The file, including the path, must match the 'log.conditions' setting above
[monitor://var/www/owncloud/data/admin_audit.log]
 disabled = false
 sourcetype = _json
 index = main

  5. Configure props.conf, as in the following configuration example, to ensure that the time field is correctly used and that the fields are extracted

    [_json]
 INDEXED_EXTRACTIONS = json
 KV_MODE = json
 TIMESTAMP_FIELDS = [Time]
 category = Structured
For more details on configuring the Splunk Universal Forwarder, please refer to Splunk’s online documentation.

Output

The audit app listens for internal ownCloud events and hooks and produces a rich set of audit entries useful for reporting on the usage of your ownCloud server. Log entries are based upon the internal ownCloud logging system but contain extra fields that hold relevant data fields related to the specific event.

Each event will contain, at a minimum, the data in the following table:

Setting Type Description

remoteAddr

string

The remote client IP

user

string

The UID of the user performing the action. Or "IP x.x.x.x.", "cron", "CLI", "unknown"

url

string

The process request URI

method

string

The HTTP request method

userAgent

string

The HTTP request user agent

time

string

The time of the event e.g.,: 2018-05-08T08:26:00+00:00

app

string

Always 'admin_audit'

message

string

Sentence explaining the action

action

string

Unique action identifier e.g.,: file_delete or public_link_created

CLI

boolean

If the action was performed from the CLI

level

integer

The log level of the entry (usually 1 for audit events)

Please refer to the follow-on sections to see the event- and hook-specific data that is returned.

Apps

This is an enterprise app

app_enabled

Setting Type Description

targetApp

string

The app ID of the enabled app.

groups

string[]

Array of group IDs if the app was enabled for certain groups.

app_disabled

Setting Type Description

targetApp

string

The app ID of the disabled app.

Auth

user_login

Setting Type Description

success

boolean

If the login was successful.

login

string

The attempted login value.

user_logout

Comments

All comment events have the same data:

Setting Type Description

commentId

string

The comment identifier.

path

string

The path to the file that the comment is attached to.

fileId

string

The file identifier.

Config

config_set

Setting Type Description

settingName

string

The key.

settingValue

string

The new value.

oldValue

string

The old value.

created

boolean

If the setting is created for the first time.

config_delete

Setting Type Description

settingName

string

The key.

Console

command_executed

Setting Type Description

command

string

The exact command that was executed.

Custom Groups

custom_group_member_removed

Setting Type Description

removedUser

string

The UID of the user that was removed from the group.

group

string

The custom group name.

groupId

integer

The custom group id.

custom_group_user_left

Setting Type Description

removedUser

string

The UID of the user that left the group.

group

string

The custom group name.

groupId

integer

The custom group id.

custom_group_user_role_changed

Setting Type Description

targetUser

string

The UID of the user that changed role.

group

string

The custom group name.

groupId

integer

The custom group id

roleNumber

integer

The new role number.

  • 0 = member

  • 1 = admin

custom_group_renamed

Setting Type Description

oldGroup

string

The old custom group name.

group

string

The new custom group name.

groupId

integer

The custom group id

custom_group_created

Setting Type Description

group

string

The custom group name created.

groupId

The custom group id.

addedUser

string

The UID of the user added.

admin

boolean

File Lifecycle

requires at least version 1.0.0.

lifecycle_archived

Setting Type Description

path

string

The path to the file that was archived

owner

string

The UID of the owner of the file that was deleted

fileId

integer

The file ID for the file that was archived

lifecycle_restored

Setting Type Description

path

string

The path to the file that was restored

fileId

integer

The number of days interval specified during expiration

lifecycle_expired

Setting Type Description

fileId

integer

The file id of the file that was expired

Files

file_create

Setting Type Description

path

string

The full path to the create file.

owner

string

The UID of the owner of the file.

fileId

string

The newly created files identifier.

file_read

Setting Type Description

path

string

The full path to the file.

owner

string

The UID of the owner of the file.

fileId

string

The files identifier.

file_update

Setting Type Description

path

string

The full path to the updated file.

owner

string

The UID of the owner of the file.

fileId

string

The updated files identifier.

file_delete

Setting Type Description

path

string

The full path to the updated file.

owner

string

The UID of the owner of the file.

fileId

string

The updated files identifier.

file_copy

Setting Type Description

oldPath

string

The full path to the source file.

path

string

The full path to the new file.

sourceOwner

string

The UID of the owner of the source file.

owner

string

The UID of the owner of the file.

sourceFileId

string

The source files identifier.

fileId

string

The new files identifier.

file_rename

Setting Type Description

oldPath

string

The original path file.

path

string

The new path file.

fileId

string

The files identifier.

file_trash_delete

Setting Type Description

owner

string

The UID of the owner of the file.

path

string

The full path to the deleted file.

file_trash_restore

Setting Type Description

owner

string

The UID of the owner of the file.

fileId

string

The restored files identifier.

oldPath

string

The original path to the file.

newPath

string

The new path to the file.

owner

string

The UID of the owner of the file.

file_version_delete

Setting Type Description

path

string

The full path to the version file deleted.

trigger

string

The delete trigger reasoning.

file_version_restore

Setting Type Description

path

string

The full path to the file being restored to the new version.

revision

string

The revision of the file restored

Holding Period

requires at least v0.1.3.

Impersonate

impersonated

Setting Type Description

user

string

The current user who did an impersonate action.

targetUser

string

The user who is being impersonated.

impersonate_logout

Setting Type Description

user

string

The user who performed impersonate action.

targetUser

string

The user who was being impersoanted.

Sharing

Sharing events come with a default set of fields:

Setting Type Description

fileId

string

The file identifier for the item shared.

owner

string

The UID of the owner of the shared item.

path

string

The path to the shared item.

shareId

string

The sharing identifier. It is not available for public_link_accessed or when recipient unshares.

file_shared

Setting Type Description

itemType

string

file or folder

expirationDate

string

The text expiration date in format: yyyy-mm-dd

sharePass

boolean

If the share is password protected.

permissions

string

The permissions string e.g.,: "READ"

shareType

string

group user or link

shareWith

string

The UID or GID of the share recipient. (not available for public link)

shareOwner

string

The UID of the share owner.

shareToken

string

For link shares the unique token, else null

file_unshared

Setting Type Description

itemType

string

file or folder

shareType

string

group user or link

shareWith

string

The UID or GID of the share recipient.

share_permission_update

Setting Type Description

itemType

string

file or folder

shareType

string

group user or link

shareOwner

string

The UID of the share owner.

permissions

string

The new permissions string e.g.,: "READ"

shareWith

string

The UID or GID of the share recipient. (not available for public link)

oldPermissions

string

The old permissions string e.g.,: "READ"

share_name_updated

Setting Type Description

oldShareName

string

The previous share name.

shareName

string

The updated share name.

share_password_updated

Setting Type Description

itemType

string

file or folder

shareOwner

string

The UID of the share owner.

permissions

string

The full permissions string e.g.,: "READ"

shareToken

string

The share token.

sharePass

boolean

If the share is password protected.

share_expiration_date_updated

Setting Type Description

itemType

string

file or folder

shareType

string

group user or link

shareOwner

string

The UID of the owner of the share.

permissions

string

The permissions string e.g.,: "READ"

expirationDate

string

The new text expiration date in format: yyyy-mm-dd

oldExpirationDate

string

The old text expiration date in format: yyyy-mm-dd

share_accepted

Setting Type Description

itemType

string

file or folder.

path

string

The path of the shared item.

owner

string

The UID of the owner of the shared item.

fileId

string

The file identifier for the item shared.

shareId

string

The sharing identifier. This is not available for public_link_accessed.

shareType

string

group user

share_declined

Setting Type Description

itemType

string

file or folder.

path

string

The path of the shared item.

owner

string

The UID of the owner of the shared item.

fileId

string

The file identifier for the item shared.

shareId

string

The sharing identifier. This is not available for public_link_accessed.

shareType

string

group user

federated_share_received

Setting Type Description

name

string

The path of shared item

targetuser

string

The target user who sent the item

shareType

remote

string

federated_share_accepted

Setting Type Description

itemType

string

The path of shared item

targetUser

string

The target user who sent the item

shareType

string

remote

federated_share_declined

Setting Type Description

itemType

string

The path of shared item

targetuser

string

The target user who sent the item

shareType

string

remote
Setting Type Description

shareToken

string

The share token.

success

boolean

If the request was successful.

itemType

string

file or folder
Setting Type Description

shareType

string

link
Setting Type Description

token

string

The token used to access the url.

federated_share_unshared

Setting Type Description

targetUser

string

The user who initiated the unshare action

targetmount

string

the file/folder unshared.

shareType

string

remote

SMB ACL

before_set_acl

Setting Type Description

user

string

The user who is trying to set the ACL

ocPath

string

The owncloud instance path

smbPath

string

The SMB path

descriptor

array

The descriptor array. It contains to following keys:

  • revision - integer - Always 1

  • owner - string - The SMB owner

  • group - string - The SMB group

  • acl - array - A list of ACEs. The list could be empty. Each ACE contains

    • trustee - string - The SMB user affected by this ACE

    • mode - string - "allowed" or "denied"

    • flags - string - Inheritance flags

    • mask - string - Permission mask

    • flagsAsInt - integer - The inheritance flags as integer value

    • maskAsInt - integer - The permission mask as integer value

after_set_acl

Setting Type Description

user

string

The user who is trying to set the ACL

ocPath

string

The owncloud instance path

smbPath

string

The SMB path

descriptor

array

The descriptor array. It contains to following keys:

  • revision - integer - Always 1

  • owner - string - The SMB owner

  • group - string - The SMB group

  • acl - array - A list of ACEs. The list could be empty. Each ACE contains

    • trustee - string - The SMB user affected by this ACE

    • mode - string - "allowed" or "denied"

    • flags - string - Inheritance flags

    • mask - string - Permission mask

    • flagsAsInt - integer - The inheritance flags as integer value

    • maskAsInt - integer - The permission mask as integer value

Tags

tag_created

Setting Type Description

tagName

string

The tag name.

tag_deleted

Setting Type Description

tagName

string

The tag name.

tag_updated

Setting Type Description

oldTag

string

The old tag name.

tagName

string

The new tag name.

tag_assigned

Setting Type Description

tagName

string

The tag name.

fileId

string

The file identifier to which the tag was assigned.

path

string

The path to the file.

tag_unassigned

Setting Type Description

tagName

string

The tag name.

fileId

string

The file identifier from which the tag was unassigned.

path

string

The path to the file.

User Preference

update_user_preference_value

Setting Type Description

key

string

The key

value

string

The value associated with the key

appname

string

The name of the app

user

string

The UID of the user who has the preference key-value for the app.

user_preference_set

Setting Type Description

key

string

The key

value

string

The value associated with the key

appname

string

The name of the app

user

string

The UID of the user who has the preference key-value for the app.

remove_user_preference_key

Setting Type Description

key

string

The key

appname

string

The name of the app

user

string

The UID of the user whose preference key is deleted for the app.

remove_preferences_of_user

Setting Type Description

user

string

The UID of the user, whose all user preferences are deleted.

delete_all_user_preference_of_app

Setting Type Description

appname

string

The name of the app whose all user preferences are deleted.

Users

user_created

Setting Type Description

targetUser

string

The UID of the created user.

user_password_reset

Setting Type Description

targetUser

string

The UID of the user.

group_member_added

Setting Type Description

targetUser

string

The UID of the user.

group

string

The GID of the group.

user_deleted

Setting Type Description

targetUser

string

The UID of the user.

group_member_removed

targetUser string The UID of the user.

group

string

The GID of the group.

user_state_changed

Setting Type Description

targetUser

string

The UID of the user.

enabled

boolean

If the user is enabled or not.

group_created

Setting Type Description

group

string

The GID of the group.

group_deleted

Setting Type Description

group

string

The GID of the group.

user_feature_changed

Setting Type Description

targetUser

string

The UID of the user.

group

string

The GID of the group (or empty string).

feature

string

The feature that was changed.

value

string

The new value.