The Admin Audit App
Introduction
The Admin Audit app is an auditing module for ownCloud to trace the actions of users and administrators.
Configuration
The following configuration is required, in "config.php", to redirect audit messages into a log file.
'log.conditions' => [
[
'apps' => ['admin_audit'],
// Adjust the path below, to match your setup
'logfile' => '/var/www/owncloud/data/admin_audit.log'
]
]
Please note that the target path must be writeable for the webserver user. All messages, regardless of log level, will be logged there. To ignore all CLI triggered events (not the default), you can set the following option:
sudo -u www-data php occ config:app:set admin_audit ignore_cli_events --value='yes'
Grouped Logging
With each log message, several users are calculated to be the 'audit context'. This is the list of users which are related to the log message. Additionally, each log message includes a list of groups that the users are a member of, to enable filtering and splitting of the log messages at a later date. In cases when users are members of many groups, to reduce the data output, the group list can be filtered using the following config option:
'admin_audit.groups' => [
'group1',
'group2'
]
When the filter is configured, only the filtered list of groups will be output in auditGroups
, else, all groups that the auditUsers
are a member of are output.
Connect with Splunk Cloud
Splunk captures, indexes, and correlates real-time data in a searchable repository from which it can generate graphs, reports, alerts, dashboards, and visualizations.
Wikipedia
To connect ownCloud with Splunk Cloud, you need to carry out the steps below:
-
Install the Splunk Universal Forwarder
You can find the system requirements for installing Splunk in the Splunk documentation. -
Connect your local forwarder to your Splunk Cloud instance You can do this by running the following command:
# Change the URL to match your setup splunk set deploy-poll input-prd-your-server-here.cloud.splunk.com:8089
-
Install the Splunk Cloud credentials You can do this by running the following command:
# Change the path and admin setting to match your setup splunk install app path/to/splunkclouduf.spl -auth admin:changeme
-
Set the ownCloud audit log to be monitored by Splunk You can do this by adding the following configuration to
inputs.conf
:# The file, including the path, must match the 'log.conditions' setting above [monitor://var/www/owncloud/data/admin_audit.log] disabled = false sourcetype = _json index = main
-
Configure
props.conf
, as in the following configuration example, to ensure that the time field is correctly used and that the fields are extracted[_json] INDEXED_EXTRACTIONS = json KV_MODE = json TIMESTAMP_FIELDS = [Time] category = Structured
For more details on configuring the Splunk Universal Forwarder, please refer to Splunk’s online documentation. |
Output
The audit app listens for internal ownCloud events and hooks and produces a rich set of audit entries useful for reporting on the usage of your ownCloud server. Log entries are based upon the internal ownCloud logging system but contain extra fields that hold relevant data fields related to the specific event.
Each event will contain, at a minimum, the data in the following table:
Setting | Type | Description |
---|---|---|
|
string |
The remote client IP |
|
string |
The UID of the user performing the action. Or "IP x.x.x.x.", "cron", "CLI", "unknown" |
|
string |
The process request URI |
|
string |
The HTTP request method |
|
string |
The HTTP request user agent |
|
string |
The time of the event e.g.,: 2018-05-08T08:26:00+00:00 |
|
string |
Always 'admin_audit' |
|
string |
Sentence explaining the action |
|
string |
Unique action identifier e.g.,: file_delete or public_link_created |
|
boolean |
If the action was performed from the CLI |
|
integer |
The log level of the entry (usually 1 for audit events) |
Please refer to the follow-on sections to see the event- and hook-specific data that is returned.
Comments
All comment events have the same data:
Setting | Type | Description |
---|---|---|
|
string |
The comment identifier. |
|
string |
The path to the file that the comment is attached to. |
|
string |
The file identifier. |
Custom Groups
custom_group_member_removed
Setting | Type | Description |
---|---|---|
|
string |
The UID of the user that was removed from the group. |
|
string |
The custom group name. |
|
integer |
The custom group id. |
custom_group_user_left
Setting | Type | Description |
---|---|---|
|
string |
The UID of the user that left the group. |
|
string |
The custom group name. |
|
integer |
The custom group id. |
custom_group_user_role_changed
Setting | Type | Description |
---|---|---|
|
string |
The UID of the user that changed role. |
|
string |
The custom group name. |
|
integer |
The custom group id |
|
integer |
The new role number.
|
File Lifecycle
requires at least version 1.0.0. |
lifecycle_archived
Setting | Type | Description |
---|---|---|
|
string |
The path to the file that was archived |
|
string |
The UID of the owner of the file that was deleted |
|
integer |
The file ID for the file that was archived |
Files
file_create
Setting | Type | Description |
---|---|---|
|
string |
The full path to the create file. |
|
string |
The UID of the owner of the file. |
|
string |
The newly created files identifier. |
file_read
Setting | Type | Description |
---|---|---|
|
string |
The full path to the file. |
|
string |
The UID of the owner of the file. |
|
string |
The files identifier. |
file_update
Setting | Type | Description |
---|---|---|
|
string |
The full path to the updated file. |
|
string |
The UID of the owner of the file. |
|
string |
The updated files identifier. |
file_delete
Setting | Type | Description |
---|---|---|
|
string |
The full path to the updated file. |
|
string |
The UID of the owner of the file. |
|
string |
The updated files identifier. |
file_copy
Setting | Type | Description |
---|---|---|
|
string |
The full path to the source file. |
|
string |
The full path to the new file. |
|
string |
The UID of the owner of the source file. |
|
string |
The UID of the owner of the file. |
|
string |
The source files identifier. |
|
string |
The new files identifier. |
file_rename
Setting | Type | Description |
---|---|---|
|
string |
The original path file. |
|
string |
The new path file. |
|
string |
The files identifier. |
file_trash_delete
Setting | Type | Description |
---|---|---|
|
string |
The UID of the owner of the file. |
|
string |
The full path to the deleted file. |
file_trash_restore
Setting | Type | Description |
---|---|---|
|
string |
The UID of the owner of the file. |
|
string |
The restored files identifier. |
|
string |
The original path to the file. |
|
string |
The new path to the file. |
|
string |
The UID of the owner of the file. |
Impersonate
Sharing
Sharing events come with a default set of fields:
Setting | Type | Description |
---|---|---|
|
string |
The file identifier for the item shared. |
|
string |
The UID of the owner of the shared item. |
|
string |
The path to the shared item. |
|
string |
The sharing identifier.
It is not available for |
file_shared
Setting | Type | Description |
---|---|---|
|
string |
|
|
string |
The text expiration date in format: |
|
boolean |
If the share is password protected. |
|
string |
The permissions string e.g.,: "READ" |
|
string |
|
|
string |
The UID or GID of the share recipient. (not available for public link) |
|
string |
The UID of the share owner. |
|
string |
For link shares the unique token, else null |
file_unshared
Setting | Type | Description |
---|---|---|
|
string |
|
|
string |
|
|
string |
The UID or GID of the share recipient. |
share_permission_update
Setting | Type | Description |
---|---|---|
|
string |
|
|
string |
|
|
string |
The UID of the share owner. |
|
string |
The new permissions string e.g.,: "READ" |
|
string |
The UID or GID of the share recipient. (not available for public link) |
|
string |
The old permissions string e.g.,: "READ" |
share_name_updated
Setting | Type | Description |
---|---|---|
|
string |
The previous share name. |
|
string |
The updated share name. |
share_password_updated
Setting | Type | Description |
---|---|---|
|
string |
|
|
string |
The UID of the share owner. |
|
string |
The full permissions string e.g.,: "READ" |
|
string |
The share token. |
|
boolean |
If the share is password protected. |
share_expiration_date_updated
Setting | Type | Description |
---|---|---|
|
string |
|
|
string |
|
|
string |
The UID of the owner of the share. |
|
string |
The permissions string e.g.,: "READ" |
|
string |
The new text expiration date in format: |
|
string |
The old text expiration date in format: |
share_accepted
Setting | Type | Description |
---|---|---|
|
string |
|
|
string |
The path of the shared item. |
|
string |
The UID of the owner of the shared item. |
|
string |
The file identifier for the item shared. |
|
string |
The sharing identifier. This is not available for public_link_accessed. |
|
string |
|
share_declined
Setting | Type | Description |
---|---|---|
|
string |
|
|
string |
The path of the shared item. |
|
string |
The UID of the owner of the shared item. |
|
string |
The file identifier for the item shared. |
|
string |
The sharing identifier. This is not available for public_link_accessed. |
|
string |
|
federated_share_received
Setting | Type | Description |
---|---|---|
|
string |
The path of shared item |
|
string |
The target user who sent the item |
|
|
string |
federated_share_accepted
Setting | Type | Description |
---|---|---|
|
string |
The path of shared item |
|
string |
The target user who sent the item |
|
string |
|
federated_share_declined
Setting | Type | Description |
---|---|---|
|
string |
The path of shared item |
|
string |
The target user who sent the item |
|
string |
|
SMB ACL
before_set_acl
Setting | Type | Description |
---|---|---|
|
string |
The user who is trying to set the ACL |
|
string |
The owncloud instance path |
|
string |
The SMB path |
|
array |
The descriptor array. It contains to following keys:
|
after_set_acl
Setting | Type | Description |
---|---|---|
|
string |
The user who is trying to set the ACL |
|
string |
The owncloud instance path |
|
string |
The SMB path |
|
array |
The descriptor array. It contains to following keys:
|
Tags
User Preference
update_user_preference_value
Setting | Type | Description |
---|---|---|
|
string |
The key |
|
string |
The value associated with the key |
|
string |
The name of the app |
|
string |
The UID of the user who has the preference key-value for the app. |
user_preference_set
Setting | Type | Description |
---|---|---|
|
string |
The key |
|
string |
The value associated with the key |
|
string |
The name of the app |
|
string |
The UID of the user who has the preference key-value for the app. |
remove_user_preference_key
Setting | Type | Description |
---|---|---|
|
string |
The key |
|
string |
The name of the app |
|
string |
The UID of the user whose preference key is deleted for the app. |