Logging Level to Capture confluence-administrator Group Changes in Confluence Admin

Still need help?

The Atlassian Community is here for you.

Ask the community

Diagnosis

  1. Specific need arises to have users with "System Administrator" permissions in Confluence but not be in the confluence-administrators group (super users). This is usually due to requirements to enforce restrictions to pages/spaces.
  2. The confluence-administrators group permissions allow access to any restricted spaces/pages and the problem arises that Confluence users with System Administrator permissions can add/remove users to the confluence-administrators group.
  3. This allows users with "System Administrator" permissions to potentially grant  access to sensitive/restricted spaces and pages within Confluence. They could then remove users from the confluence-administrators group to cover their tracks.
  4. Default logging levels do not log activity for adding and removing users to groups.

Resolution

  1. Edit <install-dir>/confluence/WEB-INF/classes/log4j.properties
  2. Search for 'Embedded Crowd logging'
  3. Change this line to DEBUG level logging (default set at INFO initially)
log4j.logger.com.atlassian.confluence.user.crowd=DEBUG

 

  • Monitor the <confluence.home>/logs/atlassian-confluence.log for lines similar to this using a cron job or similar:
2012-02-23 16:02:58,778 DEBUG [http-5090-2] [confluence.user.crowd.CachedCrowdMembershipDao] isUserDirectMember checking direct membership for user [ ryan ] and group [ system-administrators ]
2012-02-23 16:02:58,783 DEBUG [http-5090-2] 
[confluence.user.crowd.CachedCrowdMembershipDao] addUserToGroup adding user [ ryan ] to group [ confluence-administrators ]

 

(info) No logging is apparent at this level when removing a user from the confluence-administrators group.

 

 

 

 

 

 

 

 

 

 

 

 

Last modified on Feb 26, 2016

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.