Audit Log Events in Confluence

On this page

Still need help?

The Atlassian Community is here for you.

Ask the community

This page outlines the auditing events available in Confluence Server and Data Center, and which events fall into each coverage level.

For more information about how auditing works, see Auditing in Confluence.

On this page

Definitions

Coverage area

A coverage area is a grouping of events related to a similar theme.

See definitions

Coverage area

Definition

Global configuration and administration

Logs instance or system admin activity around instance administration or configuration such as platform changes or upgrades to global settings.

User management

Logs activity around users, groups, memberships, and roles, such as adding and removing users and groups.

Permissions

Log activity around local and global permissions and configurations such as changing to anonymous access or updating group permissions.

Local configuration and administration

Logs admin activity around spaces, such as creating or deleting a space.

Security

Logs user actions related to security such as authentication, or granting access to a restricted page.

End user activity (Data Center only)

Logs end user activity on your site, such as user actions on a page (creating, editing, commenting), searching, or viewing pages.

Category

A category is a grouping of related events. Categories can belong to multiple coverage areas.

Category names change over time. You may find your audit log contains some categories not described on this page. These are usually associated with events logged prior to Confluence 7.5.

Coverage level

Coverage levels allow you to control which events are logged. Some levels are only available with a Data Center license.

See definitions


Coverage level

Definition

Off

Turns off logging for this coverage area.

Base

The lowest level of coverage. Logs only the core events. Base coverage provides a minimum level of insight into your site’s activity. 

Advanced

Logs all the events covered in Base, plus additional events.

Advanced coverage provides a more detailed record of your site’s activity.

Full

The highest level of coverage available. Logs all events in Base and Advanced.

Depending on your site's activity, setting your coverage level to Full can generate a large volume of events, which can impact your database and disk space.


Global configuration and administration

Category: Global administration

Coverage levelEvents logged
Base

Color scheme modified
Color scheme type changed
Custom decorator modified
Custom stylesheet added
Custom stylesheet removed
Favicon changed
Favicon reset to default
Global retention rule changed
Global settings changed
Licence updated
Mail server created
Mail server deleted
Mail server edited
Max cache size changed
Retention rule exemption added
Retention rule exemption removed
Security configuration updated
Site export
Site import
Site logo changed
Space retention rule changed
Theme changed

AdvancedAllowlist turned off
Allowlist turned on
Allowlist URL added
Allowlist URL removed
Allowlist URL updated
Application link created
Application link edited
Application link removed
Application navigator link added
Application navigator link removed
Application navigator link updated
Banner configuration changed
CDN configuration
Collaborative editing mode changed
Mail queue flushed
Mail queue: error queue deleted
Mail queue: error queue re-sent
Mobile apps configuration updated
Rate limiting exemption added
Rate limiting exemption edited
Rate limiting exemption removed
Rate limiting settings updated
Read-only mode configuration changed
Scheduled job disabled
Scheduled job edited
Scheduled job enabled
Scheduled job run manually
Security configuration updated
Synchrony restarted
Full

No events

Category: System

Coverage levelEvents logged
BaseNo events
AdvancedNo events
FullMonitoring configuration changed

Category: Apps

Coverage levelEvents logged
BaseApp installed
App uninstalled
App enabled
App disabled
App module enabled
App module disabled
AdvancedNo events
FullNo events

Category: Page templates

Coverage levelEvents logged
BasePage template updated
Page template created
Page template deleted
AdvancedNo events
FullNo events

Category: Reindex

Coverage levelEvents logged
BaseSite reindex complete
Space reindex complete
AdvancedNo events
FullNo events

User management

Category: Users and groups

Coverage levelEvents logged
BaseUser created
User deleted
User renamed
User details updated
User requested password reset
Group created
Group deleted
User added to group
User removed from group
User directory created
User directory deleted
User directory updated
AdvancedUser was invited to join site
FullNo events


Permissions

Category: Permissions

Coverage levelEvents logged
BaseSpace permission removed
Space permission added
Global permission removed
Global permission added
AdvancedNo events
FullNo events

Local configuration and administration

Category: Pages and blogs

Coverage levelEvents logged
BasePage hierarchy copy started
Page hierarchy delete started
AdvancedNo events
FullNo events

Category: Import / Export

Coverage levelEvents logged
BaseSpace import
Space export
Space exported to PDF
AdvancedNo events
FullNo events

Category: Spaces

Coverage levelEvents logged
BaseSpace created
Space deleted
Space archived
Space unarchived
Space trash emptied
Space logo uploaded
Space logo enabled
Space logo disabled
Space logo deleted
Unknown update to space logo
Space configuration updated
AdvancedNo events
FullNo events

Security

Category: Auditing

Coverage levelEvents logged
BaseAudit log search performed
Audit log exported
Audit log configuration updated
AdvancedNo events
FullNo events

Category: Authentication

Coverage levelEvents logged
BaseSecure admin access request denied (IP not in allow list)
Advanced

Secure admin access granted
Secure admin access request failed
Secure admin access dropped
Secure admin access logout

User authorized external application access via OAuth tokens
User de-authorized external application access via OAuth token
User login failed*

FullUser login successful
User logout

*We only track User login failed events if the authentication does not involve a redirect to an external identity provider. If a user tries to log in using SSO and fails, this event will not be logged. Most identity providers track these events in their own audit logs.

Category: 2SV Configuration

Coverage levelEvents logged
Base

Admin logged in without 2SV
Failed 2SV login
Successful 2SV login
Failed session elevation
Successful session elevation
User rate-limited

AdvancedNo events
FullNo events

Category: 2SV Identity Verification

Coverage levelEvents logged
Base

2SV enabled for user
2SV disabled for user
2SV reset for user
2SV recovery key created for a user

AdvancedNo events
FullNo events

Category: Users and groups

Coverage levelEvents logged
BaseNo events
AdvancedForgot password feature triggered
Forgot password feature triggered for unknown user
FullNo events

Category: Security

Coverage levelEvents logged
Base

Secret value updated
Secret value deleted

Advanced

User tried to access restricted page
User requested access to restricted page
User requested access to restricted blog
Owner of the page authorized access
Owner of the blog authorized access

FullNo events


End user activity  

Category: Pages and blogs

Coverage levelEvents logged
BaseNo events
Advanced

Blog post edit restriction added
Blog post edit restriction removed
Blog post view restriction added
Blog post view restriction removed
Blog post deleted
Blog post restored
Blog post purged from trash
Blog post version deleted
Page view restriction added
Page view restriction removed
Page edit restriction added
Page edit restriction removed
Page restored
Page deleted
Page version deleted
Page purged from trash
Attachment trashed
Attachment deleted
Attachment version deleted
Comment deleted
Page moved
Blog post moved
Page shared
Blog post shared

Full

Page created
Page edited
Blog post created
Blog post edited
Comment created
Comment edited
Inline comment created
Inline comment edited
Inline comment deleted

Attachment downloaded
Attachment uploaded
Search performed

Note: The Search performed event records the search terms entered in search, advanced search, and in search macros (such as Livesearch and Page Tree Search). If you don't want to collect this data you can disable this event using the audit.log.search.disabled system property

Category: Import / export

Coverage levelEvents logged
BaseNo events
AdvancedPage exported to PDF
Blog post exported to PDF
Page exported to Word
Blog post exported to Word
FullNo events

Category: Data pipeline

Coverage levelEvents logged
BaseFull data export cancelled
Full data export triggered
Unauthorized full data export triggered
Full data export failed
Advanced
No events
Full
No events

Apps

Category: Apps

Coverage level

Events logged

BaseApp installed
App uninstalled
App enabled
App disabled
App module enabled
App module disabled
AdvancedNo events
FullNo events

Category: Permissions

Coverage level

Events logged

BaseCustom emoji upload enabled
Custom emoji upload disabled for users
AdvancedNo events
FullNo events

Category: Pages and blogs

Coverage level

Events logged

BaseNo events
AdvancedCustom emoji uploaded
Custom emoji deleted by user
Custom emoji deleted by admin
FullNo events
Last modified on Dec 10, 2024

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.