How to view logs and restrict access to logs in MediaWiki
MediaWiki has various logs which keep track of all the performed actions on the site. Each log registers and keeps history of a particular action. For example, the delete log shows a list of all page deletions (and restorations).
View and Access Logs
By default, all users can view almost all of the logs (with the exception of the suppress log). This can be done by going to Tools menu>Special pages button>Recent changes and logs section>Logs button. On the page that opens there's a drop-down menu from which you can select a specific log, then click on the Go button. There are also some other filtering options; for example, you can select a certain time period.
You can also access the page for viewing logs by directly opening its URL address. Just add Special:Log to the main URL of your site. For example, if your site is accessible at youdomain.com, then open yourdomain.com/index.php/Special:Log.
Restrict Access to Logs
If you want to, you can restrict access to specific logs. This is not done from the frontend of the site. Like many other things this is performed by modifying the LocalSettings.php file of your MediaWiki application. It is done by adding the option $wgLogRestrictions with the name of the log to which you want to restrict access and a user permission. The following syntax is used:
$wgLogRestrictions['name-of-log'] = 'name-of-permission';
Of course, you have to replace name-of-log with the actual log's name and name-of-permission with the particular permission. Only users that belong to a user group with that permission will be able to access the log. For this purpose you can either user a permission that already exists and is assigned to the user groups to which you want to give access, or you can create a new permission and use that permission. You can assign the new permission to existing groups or create new ones.
For example, by adding the following line at the end of LocalSettings.php:
$wgLogRestrictions['tag'] = 'delete';
only users who have the delete right will be able to access the log that shows the list of tags that have beend added/removed by users. By default, all registered users have the delete permission, so the log will not be accessible to anonymous users.
As we mentioned you can create a specific right, add it to a user group(s) and then use that right to restrict the access to logs. For example, by adding the following lines to LocalSettings.php:$wgGroupPermissions['sysop']['restricted-logs'] = true; $wgLogRestrictions['rights'] = 'restricted-logs'; $wgLogRestrictions['import'] = 'restricted-logs';
the user right restricted-logs will be created and assigned to the sysop group (that's the group of the administrators); this is done with the first line. Then the second line restricts access to the log for viewing changes to user group membership (rights log), so that only users with the restricted-logs right can view it, and the third line does the same but for the log for listing imported pages.
The name of the log is put in the first pair of brackets of the option $wgLogRestrictions and so you need to know the exact label of the log as defined in the code of MediaWiki. This label is not exactly the same as the corresponding name of the log that appears on the frontend.
Log names are defined with the option $wgLogTypes in the file DefaultSettings.php of your MediaWiki. The file is in the includes folder of the application. By searching for that option in the file you'll find the list with the default labels for the logs. They are:
block - the log that lists the actions performed for blocking and unblocking users.
protect - this log keeps track of the changes of the protection level of pages.
rights - lists the changes to the group membership of users.
delete - log that lists the deletions and restorations of pages.
upload - the log for uploaded files.
move - this log registers all pages moves.
import - the log for page imports.
patrol - the log that keeps history of all page patrolling actions.
merge - this log registers the merges of page histories.
suppress - the suppression log lists actions related to hiding log information from administrators. In MediaWiki there's a feature with which you can give a certain user group the right to hide log information for log entries from administrators (and registered users). For example, you can hide the username of a user who deleted a particular page, as well as the name of the page. The suppression log lists the actions performed to hide log entries.
By default, this log is not accessible to anybody, it has to be specifically enabled. This is done with the option $wgLogRestrictions as shown in the previous section. Just use the name of this log and specify a user permission (and if necessary assign that permission to a user group). There's a user right specifically related to this that comes preconfigured with MediaWiki; it's labeled suppressionlog. But by default it's not assigned to any group.
tag - a log that keeps track of the adding and removal of tags performed by users to revision histories and log entries.
managetags - the tag management log registers all actions performed with tags manually (without those performed automatically by the application.
You an also find out what the label of a log is by opening that log and viewing its URL address. Go to the frontend page for the logs, select the log from the drop-down menu and open it by clicking on the Go button. Then check its URL address in the web browser. If, for example, the main address of your site is yourdomain.com, then the URL will look like something like this yourdomain.com/index.php?title=Special%3ALog&type=managetags&user=&page=&year=&month=-1. The part type=managetags shows the label of the log as defined in the code; in this case it's managetags (that's the Tag management log).