In my company, someone upload file which contents many private data. File is deleted now, but I need to know who and when downloaded this file. Do you have any clues how can I check this? I am using plone 4.2.4
Take a look at your webserver's log, it is called the access log.
Normally this file is rotated, so there will probably be file called access.log.1 or access.log.4.gz
Plone also has Z2.log files within your instance's var folder if you're not
behind a webserver.
But the logs do not contain any kind of user information.
http://path/to/folder/or/file/manage_UndoForm will have log of transactions. It will likely not tell you who downloaded the file as downloads are not necessarily transactions. But it will tell you who uploaded the file and made changes to it, if any.
You can use the undo or a backup to find info about who uploaded. On download, you've to match the ip from the web server log (or the webcache log) with logged users (also in the undo). When downloading, there's no transaction done for performance reasons.
I tried to use /manage_UndoForm, but all folder is deleted now. I searched Z2 log files, and I saw that it was downloaded but only one IP address occured. Unfortunately I do not have access to webserver's log, I asked for them.
It was IP addres from server which is using Apache. If I know when someone download this file, can I check who it was?
For past events the web-server log is probably the best source.
For future investigations collective.fingerpointing helps here. I have a customer with highly confidential data where every access needs to get logged. collective.fingerpointing does not log access by default (only create, modify and delete and a bit more). But it can be enhanced to log anything, i.e. on traversal.
Is it possible that google analytics have some information (if you use analytics)
Usually, you cannot determine the user.
The web server log could in principle also log user information; however, only when it understands the authentication information. This is typically not the case for Plone's authentication cookies.
Same applies to the Z2.log, even though this is written inside Zope. The ZServer component which writes those log entries, is not integrated with the authentication component (I have written a local extension to change this).
I have not much hope that you will be able to determine who has downloaded the sensible file.