Logfile for user actions in the Server app?

Question

Logfile for user actions in the Server app?

In short:

Is it possible to retrace (follow / reproduce / track) user actions on a server via the Server app?

– – – – – – – – – –

The situation in detail:

I am running a small (6 user) Mac network with a Mac mini server and an attached RAID system. User management (permissions etc.) was set up via the Server app.

Current versions:

Mac OS X 10.9.5.

Server app 3.1.2

Is it somehow possible to see WHICH user did WHAT action WHEN? I mean:

– deleting of files / folders

– creation of files / folders

– moving of files / folders

etc.

Background of this is that we noticed some weird data deletion / movement. And – as always – noone was responsible for it.

– – – – – – – – – –

Thanks for your help!

Mathias

Posted on Jul 20, 2015 12:03 AM

Reply

Answer 1

Jul 20, 2015 12:42 AM in response to Community User

You can find these entries in the afp-protokoll in the console.

Also you can turn it on or off:

serveradmin settings afp:loggingAttributes:logOpenFork = no

 serveradmin settings afp:loggingAttributes:logCreateDir = no

 serveradmin settings afp:loggingAttributes:logLogin = no 

serveradmin settings afp:loggingAttributes:logLogout = no 

serveradmin settings afp:loggingAttributes:logDelete = no 

serveradmin settings afp:loggingAttributes:logCreateFile = no

the other trigger is "yes" instead of "no"

Peter.

Reply

Answer 2

Jul 20, 2015 5:32 AM in response to Community User

Peter's reply gives a more granular solution but here is Apple's KB article on this topic OS X Server: Enabling the AFP Server Activity log - Apple Support

However I have to say that even with the log turned on it is almost but not completely useless. This is because it only logs events against an IP address. This has two problems, firstly nearly all networks use DHCP i.e. dynamic addresses meaning a specific IP address may be allocated to different computers over time. Secondly, different users may use the same computer - or due to DHCP the same IP address over time. It is therefore almost impossible to correctly attribute an event to a specific user. There is even the much smaller but not impossible situation of one computer having two or more users on it logging in to the same server at the same time, an example would be running a Mac Terminal Server solution.

I say almost because in theory one can find the specific event e.g. the deletion of a file and the laboriously scroll backwards in the log to find the last login entry for the same IP address. On anything but the smallest network this involves so many log entries - thousands to hundreds of thousands as to be totally impractical. 😟

Reply

Answer 3

Jul 22, 2015 1:10 AM in response to Community User

Check out the audit(4) system. Edit audit_control(5) to add flags and naflags for file creation, modification, deletion, etc. You can then use auditreduce(1) and praudit(1) to find events specific to paths you're interested in. For example, if someone just deleted /Users/foo/somefile, you can check the current audit log to see who did it:

$ sudo auditreduce -o file="/Users/foo/somefile" /var/audit/current | praudit -x

<?xml version='1.0' encoding='UTF-8'?>

<audit>

<path>/Users/foo/somefile</path>

</record>

Watch out because the logs can rotate pretty quickly, so stuff that happened a few days or even a few hours back may not be in any of the current log files. You may want to add an action in audit_warn(5) to run when the log is rotated. See example at bottom of this FreeBSD handbook page. (FreeBSD uses the same BSM auditing system as OS X.) "Other archiving activities might include copying trail files to a centralized server, deleting old trail files, or reducing the audit trail [with auditreduce(1)] to remove unneeded records."

Reply

Answer 4

Nov 30, 2018 12:14 PM in response to Community User

Okay, it looks like there is no easy and convenient way to do it.

Thank you all for you help!

Reply

Answer 5

Nov 3, 2016 3:01 AM in response to Community User

Sorry to jump in on this thread.. but I have the afp logs enabled however I can only enable or activate one command at a time so for instance only logOpenFork or logDelete show. I can't say select 3 or four options at a time which is odd and not overly helpful. I have deleted and recreated the logs but still no other options other than one show at a time.

Is there a way to turn on 3 or 4 at a time or even all would be better than one user action.

Thanks Rob

Reply

Answer 6

Nov 4, 2016 7:51 AM in response to rjfrost1973

For anyone else getting frustrated with aspects of AFP logs it seems you can have all the attributes or only one attribute set. I don't know why but as soon as you set an attribute to not be shown thats it. the preference file com.apple.AppleFileServer.plist gets updated and you can't change it to more than one!

The only way i found to set it back to standard all was to quit the file sharing on the server app. then in logs remove the folder AppleFileService folder. Delete the preference com.apple.AppleFileServer.plist. from /Library/Preferences then

remove the server app until its warning box is shown. then drag it back to the Applications.

Turn on file sharing and all the logs will be returned to normal along with its preferences. So it seems its all or basically nothing.. Great!

Reply