Check log of actions the machine has performed? (NUC nextcloud server on Debian 10)
 

I'm running nextcloud (only I access it), and emby media server (again, only I access this). Yet sometimes when I'm not using it, I here the hard drive clicking as though it's reading or writing. Idk what it would be. Maybe backups but I have that set to once a week, and I hear noises nearly everyday even though I'm not using it.

Is there any log I can check to see what actions have been happening on the machine? So I can figure out what is reading and rewriting to the drive?

There are many background processes running on a Linux system (not different from Windows or any other OS, actually). I am sure Nextcloud and Emby also perform many tasks autonomously. It's quite normal to have occasional disk activity, even when you don't use them.

If you are worried, you could switch on auditing and measure all I/O-related system calls. I would start with read() and write(). Be prepared for an avalanche of data, though.

In my list of bookmarks, I have this https://www.eurovps.com/blog/importa...be-monitoring/

@berndbausch how about from a security standpoint, is there a log of attempted and successful external connections to my machine, from outside my LAN?

All these logs you are so keen to check - how do you figure they make it onto the disk(s) ?.

Oy! I would start with open() and close(). Then dig deeper once you figure what files are being accessed. Even that's overkill.

To the OP: Just because you're not doing anything on the system, the system itself is dealing with housekeeping tasks at all sorts of odd hours as defined in root's crontab or the cron* directories under /etc.

Cheers...

There is a log of attempted and successful/unsuccessful logins (might be /var/log/auth.log on Debian; /var/log/secure on Centos/RHEL), but as far as I know, not generally connections.

I could imagine that you could create your own log with a smart iptables script, but perhaps you should look into an intrusion detection system like Snort.

Or you create firewall rules that block any connection attempts from external IP addresses.

You have a point. To my defense, I think I have the right to be a lazy thinker and to let OP hammer out the details.

Good luck troubleshooting these two applications and what they are accessing.
I think emby isn't even open source? And nextcloud is a multi-purpose monster... makes me wonder why you need a separate media server... anyhow:
I think it's normal, not likely to be a security problem or any problem at all.
Just to check I put an ear to my media server and it's whirring and clicking though I'm not using it atm.