How to Send Bitbucket audit logs to another appender
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
In Bitbucket 7.0 the audit logging changed
When that change occurred the following conditional was added to the
logback-spring.xml:1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22<springProperty scope="context" name="enableLegacyAuditLog" source="audit.legacy.log" defaultValue="false"/> <if condition='property("enableLegacyAuditLog").equals("true")'> <then> <appender name="bitbucket.auditlog" class="ch.qos.logback.core.rolling.RollingFileAppender"> <encoder> <charset>UTF-8</charset> <pattern>%m%n</pattern> </encoder> <file>${log.dir}/audit/atlassian-bitbucket-audit.log</file> <rollingPolicy class="ch.qos.logback.core.rolling.SizeAndTimeBasedRollingPolicy"> <fileNamePattern>${log.dir}/audit/atlassian-bitbucket-audit-%d.%i.log.gz</fileNamePattern> <maxFileSize>25MB</maxFileSize> <maxHistory>100</maxHistory> </rollingPolicy> </appender> <!-- Enable audit logging and direct it to its own separate appender if it is enabled --> <logger name="bitbucket.audit-log" level="DEBUG" additivity="true"> <appender-ref ref="bitbucket.auditlog"/> </logger> </then> </if>This conditional checks to see if legacy audit logging is enabled and if so it will revert to writing to the logfile specified in the appender definition
Environment
7.0 and up
Solution
Audit logging can be written to
SYSLOGby adding changes inside the conditional and changing the facility attribute toUSERinstead of using the standardAUTH value, eg.:1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30<springProperty scope="context" name="enableLegacyAuditLog" source="audit.legacy.log" defaultValue="false"/> <if condition='property("enableLegacyAuditLog").equals("true")'> <then> <appender name="bitbucket.auditlog" class="ch.qos.logback.core.rolling.RollingFileAppender"> <encoder> <charset>UTF-8</charset> <pattern>%m%n</pattern> </encoder> <file>${log.dir}/audit/atlassian-bitbucket-audit.log</file> <rollingPolicy class="ch.qos.logback.core.rolling.SizeAndTimeBasedRollingPolicy"> <fileNamePattern>${log.dir}/audit/atlassian-bitbucket-audit-%d.%i.log.gz</fileNamePattern> <maxFileSize>25MB</maxFileSize> <maxHistory>100</maxHistory> </rollingPolicy> </appender> <appender name="SYSLOG" class="ch.qos.logback.classic.net.SyslogAppender"> <syslogHost>172.28.128.103</syslogHost> <facility>USER</facility> <port>514</port> <suffixPattern>[%thread] %logger %msg</suffixPattern> </appender> <!-- Enable audit logging and direct it to its own separate appender if it is enabled --> <logger name="bitbucket.audit-log" level="DEBUG" additivity="true"> <appender-ref ref="bitbucket.auditlog"/> <appender-ref ref="SYSLOG"/> </logger> </then> </if>Legacy audit logging must be enabled by adding the following to the
$BITBUCKET_HOME/shared/bitbucket.propertiesfile:1audit.legacy.log=trueThe audit logging is written to
SYSLOGduring startup:1 2 3 4 5 6 7 8 9 10Apr 29 13:33:44 vagrant [audit-broker-consumer-thread-707705260] bitbucket.audit-log - | Plugin enabled | System | 1619703186185 | com.atlassian.prettyurls.atlassian-pretty-urls-plugin | - | - | - Apr 29 13:33:44 vagrant [audit-broker-consumer-thread-707705260] bitbucket.audit-log - | Plugin enabled | System | 1619703186192 | com.atlassian.soy.soy-template-plugin | - | - | - Apr 29 13:33:44 vagrant [audit-broker-consumer-thread-707705260] bitbucket.audit-log - | Plugin enabled | System | 1619703186200 | com.atlassian.stash.plugins.stash-remote-event-bitbucket-server-spi | - | - | - Apr 29 13:33:44 vagrant [audit-broker-consumer-thread-707705260] bitbucket.audit-log - | Plugin enabled | System | 1619703186244 | com.atlassian.troubleshooting.plugin-bitbucket | - | - | - Apr 29 13:33:44 vagrant [audit-broker-consumer-thread-707705260] bitbucket.audit-log - | Plugin enabled | System | 1619703186251 | com.atlassian.webhooks.atlassian-webhooks-plugin | - | - | - Apr 29 13:33:44 vagrant [audit-broker-consumer-thread-707705260] bitbucket.audit-log - | Plugin enabled | System | 1619703186252 | com.springsource.net.jcip.annotations-1.0.0 | - | - | - Apr 29 13:33:44 vagrant [audit-broker-consumer-thread-707705260] bitbucket.audit-log - | Plugin enabled | System | 1619703186259 | tac.bitbucket.languages.de_DE | - | - | - Apr 29 13:33:44 vagrant [audit-broker-consumer-thread-707705260] bitbucket.audit-log - | Plugin enabled | System | 1619703186269 | tac.bitbucket.languages.fr_FR | - | - | - Apr 29 13:33:44 vagrant [audit-broker-consumer-thread-707705260] bitbucket.audit-log - | Plugin enabled | System | 1619703186286 | tac.bitbucket.languages.ja_JP | - | - | - Apr 29 13:35:16 vagrant systemd-networkd[1591]: eth1: DHCP: No routes received from DHCP server: No data availableAs well as when an operation in the
BASEaudit scope like creating or deleting a user is performed:1Apr 29 13:42:28 vagrant [audit-broker-consumer-thread-707705260] bitbucket.audit-log 172.28.128.1 | User deleted | nhansberry | 1619703748024 | test | - | - | -During testing, adding the appenders outside the conditional did not work and legacy audit logging had to be enabled in the properties file.
Legacy Audit logging will be deprecated as per our properties page: https://confluence.atlassian.com/bitbucketserver/configuration-properties-776640155.html#Configurationproperties-Audit
Was this helpful?