Auditing in Confluence

The audit log allows administrators to look back at changes that have been made in your site. This is useful when you need to troubleshoot a problem or if you need to keep a record of important events, such as changes to global permissions.

The feature is available in both Server and Data Center, however its scope is more extensive in Data Center. 

With a Data Center license, Space admins can also view the audit log for their specific space.

On this page:

Main differences between auditing in Server and Data Center

The auditing feature works differently in Confluence Server and Confluence Data Center.

FunctionalityAvailable in ServerAvailable in Data Center
Coverage areas(tick) Yes
(fewer coverage areas than Data Center)
(tick) Yes
Selecting coverage areas(error) No (only Base or Off)(tick) Yes
Setting database log retention(tick) Yes(tick) Yes
Storing audit logs in two locations(error) No(tick) Yes
Integrating with 3rd party monitoring tools(error) No(tick) Yes
Exporting latest 100,000 results(tick) Yes(tick) Yes
Filter by category and summary(error) No(tick) Yes
Exporting filtered results(tick) Yes(tick) Yes
Space level audit log(error) No(tick) Yes

View the audit log

To view the global audit log in Confluence:

  1. Go to  > General Configuration
  2. Select Audit log 
  3. Select an event to expand it and see details.

Different details will be shown depending on the event itself. These can include:

  • IP address – IP address of the user who performed the action. This is not recorded for system-generated events.
  • Load balancer/proxy IP address – IP address of the load balancer or proxy server that forwarded the request.
  • Node ID – unique ID of the cluster node where the action was performed.
  • Method – depending on how the action was performed, this will be either Browser (end user) or System (system process).

View the space audit log (Data Center)

System admins, Confluence admins and space admins can also access audit logs for a specific space, if they have permission to administer that space.

The space audit log records events related to space permissions and configuration, user actions within the space, and some events related to space security (for example, events related to accessing and granting permissions to restricted pages with a particular space).

To view the audit log for a specific space, go to Space tools > Audit log.

Search and filter the audit log

You can search the log by keyword, and narrow your results by date, author, and space. If you have a Data Center license you can also filter by category and summary.

Your query can be up to 100 characters long. To speed up the search, we only search the most recent 1 million events. After this search is performed, you can choose to run a full database search. If you have a large or busy Confluence site, running a full search can take a while.

Can't find a specific event?

Changing coverage level changes the individual events that are logged. If you can't find a specific event, it might be because coverage level was changed, and these events were not logged for a period of time. Check the audit log configuration events to determine if this might be the case.

Edit log settings

In the audit log settings you can decide how long you want to retain the logged events in the database, and the areas from which you want to collect the logs.

Update database retention

The database retention is limited by the retention period, with a maximum of 10 million records.

To update the database retention period:

  1. Select more options  > Settings.
  2. Enter the period of time. This can be in days, months or years.
  3. Select Save.

If you choose a long retention period, it can affect the size and performance of your database. Learn more about setting an optimal retention period for your Confluence instance.

If you decide to lower the retention period, all the events that exceed the newly set period will be deleted, and disappear from the page. It's a good idea to create a backup before you lower the retention period.

If you migrated from a previous Confluence version, your default retention period is 20 years. If you have a new Confluence installation, it’s 3 years.

Select events to log

The events that are logged are organized in categories that belong to specific coverage areas.

For example, import and export-related events are logged in the Import/Export category, that belongs to the Local configuration and administration coverage area. For all coverage areas and events logged in each area, see Audit log events in Confluence.

To adjust the coverage:

  1. Go to more options  > Settings.
  2. In the Coverage level drop-down, select the level to log the events you need, or Off to stop collecting events from a particular area.

Coverage level definitions

Coverage levels reflect the number and frequency of events that are logged. Some coverage levels are only available with a Data Center license.

Coverage level

Definition

Off

Turns off logging for this coverage area.

Base

The lowest level of coverage. Logs only the core events. Base coverage provides a minimum level of insight into your site’s activity. If you have a Confluence Server license, this is the only coverage level available.

Advanced (Data Center only)

Logs all the events covered in Base, plus additional events.

Advanced coverage provides a more detailed record of your site’s activity.

Full (Data Center only)

The highest level of coverage available. Logs all events in Base and Advanced.

Depending on your site's activity, setting your coverage level to Full can generate a large volume of events, which can impact your database and disk space.


Export the audit log

You can export up to 100,000 latest or filtered events as a CSV file. If you have more than 100,000 events, only the 100,000 newest events are included in the export.

To export the audit log:

  1. Go to Audit log, then choose Export.
  2. Select to export the latest 100,000 or filtered results.
  3. Confirm by clicking Export.

Space admins can also export from the space level audit log.

Access the audit log file (Data Center)

For Confluence Data Center, each node has its own log, which can be found in the <local-home>/log/audit directory. The log is stored as a JSON file.

Confluence creates a new log file every 24 hours, or once the current one reaches 100 MB, whichever occurs first. For more details on log rotation, see Audit Log Integrations in Confluence.

Change the audit log file retention

You can choose how many audit log files to store in the local home directory on each node. By default we store 100 files. Make sure you've provisioned enough disk space for these files, especially if you have set the logging level to Advanced or Full. 

To change the file retention setting:

  1. Go to  > General Configuration > Audit log.
  2. Select Settings.
  3. Enter the maximum number of files to be stored and select Save

Once a node reaches the log file retention limit, the oldest one is deleted. If you need to keep these logs, for example for compliance purposes, you may want to manually back up the files in this directory on a regular basis, or send them to a third party logging platform. See Audit Log Integrations in Confluence.

Integrate with external software (Data Center)

You can use the log file to integrate with third-party tools such as ELK, Splunk, Sumologic, and Amazon CloudWatch. For more information on integrations, see Audit Log Integrations in Confluence.

Audit log and migration

Migrate database

If you have more that 10 million events stored in your database, and you move to a new database, only the latest 10 million will be migrated, and the remaining data will be removed.

To have access to your older events, you can create a backup before you migrate and access the data in the backup.

Migrate from a previous Confluence version

Migrating audit log records can take a while, depending on the size of the audit log and your database.

Auditing and the REST API

The audit log can also be accessed via the REST API


Last modified on Dec 14, 2020

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.