Logging Level to Capture confluence-administrator Group Changes in Confluence Admin
- Specific need arises to have users with "System Administrator" permissions in Confluence but not be in the confluence-administrators group (super users). This is usually due to requirements to enforce restrictions to pages/spaces.
- The confluence-administrators group permissions allow access to any restricted spaces/pages and the problem arises that Confluence users with System Administrator permissions can add/remove users to the confluence-administrators group.
- This allows users with "System Administrator" permissions to potentially grant access to sensitive/restricted spaces and pages within Confluence. They could then remove users from the confluence-administrators group to cover their tracks.
- Default logging levels do not log activity for adding and removing users to groups.
- Edit <install-dir>/confluence/WEB-INF/classes/log4j.properties
- Search for 'Embedded Crowd logging'
- Change this line to DEBUG level logging (default set at INFO initially)
- Monitor the <confluence.home>/logs/atlassian-confluence.log for lines similar to this using a cron job or similar:
2012-02-23 16:02:58,778 DEBUG [http-5090-2] [confluence.user.crowd.CachedCrowdMembershipDao] isUserDirectMember checking direct membership for user [ ryan ] and group [ system-administrators ] 2012-02-23 16:02:58,783 DEBUG [http-5090-2] [confluence.user.crowd.CachedCrowdMembershipDao] addUserToGroup adding user [ ryan ] to group [ confluence-administrators ]
No logging is apparent at this level when removing a user from the confluence-administrators group.