Admin audit: Log content of deleted folder #57448
Description
⚠️ This issue respects the following points: ⚠️
- This is a bug, not a question or a configuration/webserver/proxy issue.
- This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
- Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
- I agree to follow Nextcloud's Code of Conduct.
Bug description
When deleting a folder containing many files via the Nextcloud UI, the Admin Audit log (admin_audit) logs only a single DELETE action for the folder itself, and does not log DELETE actions for the contained files.
However, deleting the same files individually generates one DELETE entry per file as expected.
This makes it impossible to reliably monitor or alert on mass deletions using admin_audit, since large folder deletions are undercounted dramatically (e.g. deleting a folder containing 500 files produces only 1 DELETE log entry).
This was reproduced on Nextcloud AIO (Apache container) by observing /var/www/html/data/audit.log and in Loki/Grafana queries of the audit log stream.
Steps to reproduce
Steps to reproduce
Create a folder in Nextcloud (example: BulkDeleteTest).
Upload and extract a zip containing 500 files into that folder (e.g. file_0001.txt … file_0500.txt).
Delete the entire folder BulkDeleteTest in the Nextcloud UI.
Check the audit log (admin_audit) entries:
Inside container:
docker exec -it nextcloud-aio-apache sh -lc 'tail -n 200 /var/www/html/data/audit.log'
Or via Loki/Grafana query for admin_audit DELETE actions.
(Optional verification)
5. Repeat the test by deleting the 500 files individually (without deleting the folder) and compare the audit log entries.
Expected behavior
Expected behavior
If a folder containing many files is deleted, the audit logs should reflect the deletion of its contents as well.
For example:
Deleting 500 files individually should produce 500 DELETE audit log entries (this currently works).
Deleting the folder containing those 500 files should produce 501 DELETE audit log entries (500 files + 1 folder), or at minimum include individual file delete records.
This is important for monitoring/alerting mass deletions accurately.
Actual behavior
When deleting the folder containing 500 files, only one DELETE audit log entry is written (the folder delete action), and none of the contained files are logged as deleted individually.
This causes dashboards and alerts based on DELETE actions to undercount dramatically.
Example: deleting a folder containing 500 files is logged as 1 delete, but deleting those same 500 files individually is logged as 500 deletes.
Nextcloud Server version
31
Operating system
Debian/Ubuntu
PHP engine version
PHP 8.3
Web server
Apache (supported)
Database engine version
PostgreSQL
Is this bug present after an update or on a fresh install?
Fresh Nextcloud Server install
Are you using the Nextcloud Server Encryption module?
Encryption is Disabled
What user-backends are you using?
- Default user-backend (database)
- LDAP/ Active Directory
- SSO - SAML
- Other
Configuration report
{
"system": {
"one-click-instance": true,
"one-click-instance.user-limit": 100,
"memcache.local": "\\OC\\Memcache\\APCu",
"apps_paths": [
{
"path": "\/var\/www\/html\/apps",
"url": "\/apps",
"writable": false
},
{
"path": "\/var\/www\/html\/custom_apps",
"url": "\/custom_apps",
"writable": true
}
],
"check_data_directory_permissions": false,
"memcache.distributed": "\\OC\\Memcache\\Redis",
"memcache.locking": "\\OC\\Memcache\\Redis",
"redis": {
"host": "***REMOVED SENSITIVE VALUE***",
"password": "***REMOVED SENSITIVE VALUE***",
"port": 6379
},
"overwritehost": "nc.origon.no",
"overwriteprotocol": "https",
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": [
"localhost",
"nc.origon.no"
],
"datadirectory": "***REMOVED SENSITIVE VALUE***",
"dbtype": "pgsql",
"version": "31.0.9.1",
"overwrite.cli.url": "https:\/\/nc.origon.no\/",
"dbname": "***REMOVED SENSITIVE VALUE***",
"dbhost": "***REMOVED SENSITIVE VALUE***",
"dbport": "",
"dbtableprefix": "oc_",
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"installed": true,
"instanceid": "***REMOVED SENSITIVE VALUE***",
"maintenance": false,
"updatedirectory": "\/nc-updater",
"loglevel": 1,
"app_install_overwrite": [
"nextcloud-aio"
],
"log_type": "file",
"logfile": "\/var\/www\/html\/data\/nextcloud.log",
"log_rotate_size": 10485760,
"log.condition": {
"apps": [
"admin_audit"
]
},
"preview_max_x": 2048,
"preview_max_y": 2048,
"jpeg_quality": 60,
"enabledPreviewProviders": {
"1": "OC\\Preview\\Image",
"2": "OC\\Preview\\MarkDown",
"3": "OC\\Preview\\MP3",
"4": "OC\\Preview\\TXT",
"5": "OC\\Preview\\OpenDocument",
"6": "OC\\Preview\\Movie",
"7": "OC\\Preview\\Krita"
},
"enable_previews": true,
"upgrade.disable-web": true,
"mail_smtpmode": "smtp",
"trashbin_retention_obligation": "auto, 30",
"versions_retention_obligation": "auto, 30",
"activity_expire_days": 30,
"simpleSignUpLink.shown": false,
"share_folder": "\/Shared",
"one-click-instance.link": "https:\/\/nextcloud.com\/all-in-one\/",
"upgrade.cli-upgrade-link": "https:\/\/github.com\/nextcloud\/all-in-one\/discussions\/2726",
"maintenance_window_start": 100,
"allow_local_remote_servers": true,
"davstorage.request_timeout": 7200,
"documentation_url.server_logs": "https:\/\/github.com\/nextcloud\/all-in-one\/discussions\/5425",
"htaccess.RewriteBase": "\/",
"dbpersistent": false,
"auth.bruteforce.protection.enabled": true,
"ratelimit.protection.enabled": true,
"files_external_allow_create_new_local": false,
"trusted_proxies": "***REMOVED SENSITIVE VALUE***",
"updatenotification_admin_only": true,
"updatechecker": false,
"mail_sendmailmode": "smtp",
"mail_smtphost": "***REMOVED SENSITIVE VALUE***",
"mail_smtpport": "587",
"mail_from_address": "***REMOVED SENSITIVE VALUE***",
"mail_domain": "***REMOVED SENSITIVE VALUE***",
"mail_smtpauth": true,
"mail_smtpname": "***REMOVED SENSITIVE VALUE***",
"mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
"activity_use_cached_mountpoints": false
}
}List of activated Apps
Enabled:
- activity: 4.0.0
- admin_audit: 1.21.0
- auto_groups: 1.6.2
- bruteforcesettings: 4.0.0
- calendar: 5.5.7
- circles: 31.0.0
- cloud_federation_api: 1.14.0
- comments: 1.21.0
- contacts: 7.3.4
- contactsinteraction: 1.12.0
- dashboard: 7.11.0
- dav: 1.33.0
- deck: 1.15.3
- federatedfilesharing: 1.21.0
- federation: 1.21.0
- files: 2.3.1
- files_downloadlimit: 4.0.0
- files_pdfviewer: 4.0.0
- files_reminders: 1.4.0
- files_sharing: 1.23.1
- files_trashbin: 1.21.0
- files_versions: 1.24.0
- firstrunwizard: 4.0.0
- groupfolders: 19.1.8
- logreader: 4.0.0
- lookup_server_connector: 1.19.0
- nextcloud-aio: 0.8.0
- notes: 4.12.3
- notify_push: 1.2.1
- oauth2: 1.19.1
- password_policy: 3.0.0
- photos: 4.0.0
- privacy: 3.0.0
- profile: 1.0.0
- provisioning_api: 1.21.0
- recommendations: 4.0.0
- related_resources: 2.0.0
- serverinfo: 3.0.0
- settings: 1.14.0
- sharebymail: 1.21.0
- support: 3.0.0
- survey_client: 3.0.0
- systemtags: 1.21.1
- tasks: 0.17.0
- text: 5.0.0
- theming: 2.6.1
- twofactor_backupcodes: 1.20.0
- twofactor_totp: 13.0.0-dev.0
- user_saml: 7.0.0
- user_status: 1.11.0
- viewer: 4.0.0
- weather_status: 1.11.0
- webhook_listeners: 1.2.0
- workflowengine: 2.13.0
Disabled:
- app_api: 5.0.2 (installed 5.0.2)
- encryption: 2.19.0
- files_external: 1.23.0
- nextcloud_announcements: 3.0.0 (installed 3.0.0)
- notifications: 4.0.0 (installed 4.0.0)
- suspicious_login: 9.0.1
- twofactor_nextcloud_notification: 5.0.0
- updatenotification: 1.21.0 (installed 1.21.0)
- user_ldap: 1.22.0Nextcloud Signing status
No integrity check failures.Nextcloud Logs
Additional info
Deployment: Nextcloud AIO on Proxmox VE host (kernel 6.8.12-9-pve), running Ubuntu 22.04.5 LTS VM (nextcloud-aio)
Server version: 31.0.9.1
Audit log file: /var/www/html/data/audit.log
Monitoring: Loki + Grafana ingesting audit log
Observed that deleting files individually produces one audit entry per file, but deleting a parent folder produces only one audit entry.