Audit Log Events in Confluence

On this page

Still need help?

The Atlassian Community is here for you.

Ask the community

This page outlines the auditing events available in Confluence Server and Data Center, and which events fall into each coverage level.

For more information about how auditing works, see Auditing in Confluence.

On this page

Definitions

Coverage area

A coverage area is a grouping of events related to a similar theme.

See definitions

Coverage area

Definition

Global configuration and administration

Logs instance or system admin activity around instance administration or configuration such as platform changes or upgrades to global settings.

User management

Logs activity around users, groups, memberships, and roles, such as adding and removing users and groups.

Permissions

Log activity around local and global permissions and configurations such as changing to anonymous access or updating group permissions.

Local configuration and administration

Logs admin activity around spaces, such as creating or deleting a space.

Security

Logs user actions related to security such as authentication, or granting access to a restricted page.

End user activity (Data Center only)

Logs end user activity on your site, such as user actions on a page (creating, editing, commenting), searching, or viewing pages.

Category

A category is a grouping of related events. Categories can belong to multiple coverage areas.

Category names change over time. You may find your audit log contains some categories not described on this page. These are usually associated with events logged prior to Confluence 7.5.

Coverage level

Coverage levels allow you to control which events are logged. Some levels are only available with a Data Center license.

See definitions


Coverage level

Definition

Off

Turns off logging for this coverage area.

Base

The lowest level of coverage. Logs only the core events. Base coverage provides a minimum level of insight into your site’s activity. If you have a Confluence Server license, this is the only coverage level available.

Advanced (Data Center only)

Logs all the events covered in Base, plus additional events.

Advanced coverage provides a more detailed record of your site’s activity.

Full (Data Center only)

The highest level of coverage available. Logs all events in Base and Advanced.

Depending on your site's activity, setting your coverage level to Full can generate a large volume of events, which can impact your database and disk space.


Global configuration and administration

Category: Global administration

Coverage levelEvents logged
BaseMail server created
Mail server deleted
Mail server edited
Max cache size changed
Licence updated
Global settings changed
Site import
Site export
Site logo changed
Favicon changed
Favicon reset to default
Custom stylesheet added
Custom stylesheet removed
Theme changed
Custom decorator modified
Color scheme modified
Color scheme type changed
Security configuration updated
AdvancedMobile apps configuration updated
Read-only mode configuration changed
Banner configuration changed
Collaborative editing mode changed
Synchrony restarted
Mail queue flushed
Mail queue: error queue re-sent
Mail queue: error queue deleted
Allowlist turned on
Allowlist turned off
Allowlist URL added
Allowlist URL removed
Allowlist URL updated
Security configuration updated
Application navigator link added
Application navigator link removed
Application navigator link updated
Scheduled job enabled
Scheduled job disabled
Scheduled job edited
Scheduled job run manually
Application link created
Application link edited
Application link removed
Rate limiting settings updated
Rate limiting exemption added
Rate limiting exemption removed
Rate limiting exemption edited
CDN configuration
FullNo events

Category: Apps

Coverage levelEvents logged
BaseApp installed
App uninstalled
App enabled
App disabled
App module enabled
App module disabled
AdvancedNo events
FullNo events

Category: Page templates

Coverage levelEvents logged
BasePage template updated
Page template created
Page template deleted
AdvancedNo events
FullNo events

User management

Category: Users and groups

Coverage levelEvents logged
BaseUser created
User deleted
User renamed
User details updated
User requested password reset
Group created
Group deleted
User added to group
User removed from group
User directory created
User directory deleted
User directory updated
AdvancedUser was invited to join site
FullNo events


Permissions

Category: Permissions

Coverage levelEvents logged
BaseSpace permission removed
Space permission added
Global permission removed
Global permission added
AdvancedNo events
FullNo events

Local configuration and administration

Category: Pages and blogs

Coverage levelEvents logged
BasePage hierarchy copy started
Page hierarchy delete started
AdvancedNo events
FullNo events

Category: Import / export

Coverage levelEvents logged
BaseSpace import
Space export
Space exported to PDF
AdvancedNo events
FullNo events

Category: Spaces

Coverage levelEvents logged
BaseSpace created
Space deleted
Space archived
Space unarchived
Space trash emptied
Space logo uploaded
Space logo enabled
Space logo disabled
Space logo deleted
Unknown update to space logo
Space configuration updated
AdvancedNo events
FullNo events

Security

Category: Auditing

Coverage levelEvents logged
BaseAudit log search performed
Audit log exported
Audit log configuration updated
AdvancedNo events
FullNo events

Category: Authentication

Coverage levelEvents logged
BaseNo events
AdvancedSecure admin access granted
Secure admin access request failed
Secure admin access dropped
User authorized external application access via OAuth tokens
User de-authorized external application access via OAuth token
User login failed*
FullUser login successful
User logout

Category: Users and groups

Coverage levelEvents logged
BaseNo events
AdvancedForgot password feature triggered
Forgot password feature triggered for unknown user
FullNo events

Category: Security

Coverage levelEvents logged
BaseNo events
Advanced

User tried to access restricted page
User requested access to restricted page
User requested access to restricted blog
Owner of the page authorized access
Owner of the blog authorized access

FullNo events

*We only track User login failed events if the authentication does not involve a redirect to an external identity provider. If a user tries to log in using SSO and fails, this event will not be logged. Most identity providers track these events in their own audit logs.

End user activity  

DATA CENTER ONLY

Category: Pages and blogs

Coverage levelEvents logged
BaseNo events
Advanced

Blog post edit restriction added
Blog post edit restriction removed
Blog post view restriction added
Blog post view restriction removed
Blog post deleted
Blog post restored
Blog post purged from trash
Blog post version deleted
Page view restriction added
Page view restriction removed
Page edit restriction added
Page edit restriction removed
Page restored
Page deleted
Page version deleted
Page purged from trash
Attachment deleted
Attachment version deleted
Comment deleted
Page moved
Blog post moved
Page shared
Blog post shared

Full

Page created
Page edited
Blog post created
Blog post edited
Comment created
Comment edited
Inline comment created
Inline comment edited
Attachment downloaded
Attachment uploaded
Search performed

Note: The Search performed event records the search terms entered in search, advanced search, and in search macros (such as Livesearch and Page Tree Search). If you don't want to collect this data you can disable this event using the audit.log.search.disabled system property

Category: Import / export

Coverage levelEvents logged
BaseNo events
AdvancedPage exported to PDF
Blog post exported to PDF
Page exported to Word
Blog post exported to Word
FullNo events


Last modified on Dec 14, 2020

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.