How to extract information about 401 unauthorised user records from Bamboo server logs

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform Notice: Data Center - This article applies to Atlassian products on the Data Center platform.

Note that this knowledge base article was created for the Data Center version of the product. Data Center knowledge base articles for non-Data Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

There may be occasions when it is necessary to obtain a list of unauthorised users due to incorrect login credentials for auditing or other purposes. This KB describes how to extract 401 unauthorised user access records from Bamboo server logs.

Environment

This has been tested on Bamboo 9.6.4 but it is applicable for other supported version of Bamboo

Solution

The login information and rest API request information can be obtained by grepping with the pattern AccessLogFilter from the <Bamboo-Home>/logs/atlassian-bamboo-access.log files (which contain IP address/user details). The following is an example Bamboo access log:

root@0a29ef90f34d:/var/atlassian/application-data/bamboo/logs# grep -i 'AccessLogFilter' atlassian-bamboo-access.log
2023-07-20 12:33:12,150 INFO [http-nio-8085-exec-7] [AccessLogFilter] admin POST https://linux-47255.prod.atl-cd.net/bamboo/admin/addLog4jEntry.action 1084321kb
2023-07-20 12:33:12,424 INFO [http-nio-8085-exec-10] [AccessLogFilter] admin GET https://linux-47255.prod.atl-cd.net/bamboo/admin/configLog4j.action 1048969kb
2023-07-20 12:33:13,587 INFO [http-nio-8085-exec-16] [AccessLogFilter] admin GET https://linux-47255.prod.atl-cd.net/bamboo/rest/troubleshooting/1.0/check/admin?_=1689856393033 1013273kb
2023-07-20 12:33:33,225 INFO [http-nio-8085-exec-17] [AccessLogFilter] 172.50.0.3 POST https://linux-47255.prod.atl-cd.net/bamboo/userLogout.action 1010340kb
2023-07-20 12:33:33,521 INFO [http-nio-8085-exec-15] [AccessLogFilter] 172.50.0.3 GET https://linux-47255.prod.atl-cd.net/bamboo/start.action 967962kb
2023-07-20 12:33:33,918 INFO [http-nio-8085-exec-19] [AccessLogFilter] 172.50.0.3 POST https://linux-47255.prod.atl-cd.net/bamboo/rest/webResources/1.0/resources 958604kb
2023-07-20 12:33:35,089 INFO [http-nio-8085-exec-21] [AccessLogFilter] 172.50.0.3 GET https://linux-47255.prod.atl-cd.net/bamboo/userlogin!doDefault.action 958209kb
 878856kb


This can be obtained by grepping for the pattern DefaultAuthenticator in the <Bamboo-Home>/logs/atlassian-bamboo.log files for the user's authentication information, as seen below:

root@0a29ef90f34d:/var/atlassian/application-data/bamboo/logs# grep -i 'DefaultAuthenticator' atlassian-bamboo.log 
2023-07-20 12:33:41,845 INFO [http-nio-8085-exec-4] [DefaultAuthenticator] login : 'admin' could not be authenticated with the given password


For more Debug logs:

Enable debugging for the following classpaths to have Bamboo log more debug logs about login attempts so that you may check the failed login attempts and related user and IP address details:

com.atlassian.bamboo.user.authentication.BambooElevatedSecurityGuard, type All
com.atlassian.bamboo.filter.AccessLogFilter, type DEBUG

After enabling debugging and observing the issue again, grep with the pattern BambooElevatedSecurityGuard from the most recent <Bamboo-home>/logs/atlassian-bamboo.log file and it will provide more information about unsuccessful login attempts, as shown in the sample below:

2023-07-20 12:33:41,845 TRACE [http-nio-8085-exec-4] [BambooElevatedSecurityGuard] Failed login attempt, userName=admin, IP=172.50.0.3
2023-07-20 12:34:20,774 INFO [http-nio-8085-exec-11] [DefaultAuthenticator] login : 'admin' could not be authenticated with the given password
2023-07-20 12:34:20,774 WARN [http-nio-8085-exec-11] [DefaultAuthenticator] login : 'admin' tried to login but they do not have USE permission or weren't found. Deleting remember me cookie.
2023-07-20 12:34:20,775 INFO [http-nio-8085-exec-11] [BambooAuthenticator] Finished doing authentication checks for admin, took 32.88 ms
2023-07-20 12:34:20,775 TRACE [http-nio-8085-exec-11] [BambooElevatedSecurityGuard] Failed login attempt, userName=admin, IP=172.50.0.3


Debug logs for the enabled classpath com.atlassian.bamboo.filter.AccessLogFilter can be found in the atlassian-bamboo-access.log files, as shown below:

2023-07-20 13:20:06,963 INFO [http-nio-8085-exec-11] [AccessLogFilter] 172.50.0.3 POST https://linux-47255.prod.atl-cd.net/bamboo/userlogin.action 1618958kb
2023-07-20 13:20:07,087 DEBUG [http-nio-8085-exec-11] [AccessLogFilter] END: 200 172.50.0.3 POST https://linux-47255.prod.atl-cd.net/bamboo/userlogin.action 1618958kb-10743kb 124ms




Last modified on Mar 3, 2025

Was this helpful?

Yes
No
Provide feedback about this article

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.