Audit log events
The auditing component of Bitbucket Data Center will log many different events that occur when being used. Events have been assigned a coverage level to reflect the number and frequency of events that are logged – these levels can be used to control how much information is added to the audit log file. For example, if you have an instance under high load and no need for auditing in certain coverage areas, you may wish to turn audit logging off by selecting Off in the Audit log settings page. Learn more about these settings in View and configure the audit log.
Coverage levels available with a Data Center license:
- Off: Turns off logging events from this coverage area.
- Base: Logs low-frequency and some of the high-frequency core events from selected coverage areas.
- Advanced: Logs the core events as well as the low and medium frequency events from the coverage areas.
- Full: Logs all the events available in Base and Advanced, plus additional events for a comprehensive audit.
The events generated by external apps that call Jira REST API that fall into the Apps coverage area are not listed here because they are app-dependent.
The following tables provide lists of new and legacy event summaries for all coverage levels and categories.
Global configuration and administration coverage area
Global administration category
Base | Base URL changed (BaseUrlChangedEvent) |
---|---|
Advanced | Announcement banner created (AnnouncementBannerCreatedEvent) |
Full | No additional events available |
Apps category
Base | Plugin disabled (PluginDisabledEvent) Plugin enabled (PluginEnabledEvent) Plugin uninstalled (PluginUninstalledEvent) Plugin upgraded (PluginUpgradedEvent) |
---|---|
Advanced | No additional events available |
Full | Plugin container unavailable (PluginContainerUnavailableEvent) Plugin framework started (PluginFrameworkStartedEvent) Plugin module available (PluginModuleAvailableEvent) Plugin module disabled (PluginModuleDisabledEvent) Plugin module enabled (PluginModuleEnabledEvent) Plugin module unavailable (PluginModuleUnavailableEvent) |
Data pipeline category
Coverage level | Events logged |
---|---|
Base | No events available |
Advanced | Full data export cancelled |
Full | No events available |
User management coverage area
Users and groups category
Base | GPG key added (GpgKeyCreatedEvent) GPG key deleted (GpgKeyDeletedEvent) Group added to user group (GroupMembershipsCreatedEvent) Personal access token changed (AccessTokenModifiedEvent) Personal access token created (AccessTokenCreatedEvent) Personal access token deleted (AccessTokenDeletedEvent) SSH access key created for personal key (SshKeyCreatedEvent) SSH access key deleted for personal key (SshKeyDeletedEvent) User added to user group ((GroupMembershipsCreatedEvent) User automatically created (AutoUserCreatedEvent) User automatically deleted from user group (AutoGroupMembershipDeletedEvent) User created (UserCreatedEvent) User created from directory sync (UserCreatedFromDirectorySynchronisationEvent) User deleted (UserDeletedEvent) User deleted from user group (GroupMembershipDeletedEvent) User directory created (DirectoryCreatedEvent) User directory deleted (DirectoryDeletedEvent) User erased (UserErasedEvent) User group automatically created (AutoGroupCreatedEvent) User group created (GroupCreatedEvent) User group deleted (GroupDeletedEvent) User group updated (GroupUpdatedEvent) User password changed UserCredentialUpdatedEvent) Username changed (UserRenamedEvent) |
---|---|
Advanced | User details export failed (UserExportFailedEvent, extraAttribute withPermissions=false) |
Full | No additional events available |
Permission coverage area
Permissions category
Base | Global permission change request (GlobalPermissionModificationRequestedEvent) |
---|---|
Advanced | No additional events available |
Full | No additional events available |
Local configuration and administration coverage area
Personal category
Base | SSH key edited for personal key (SShKeyEditedEvent) |
---|
Projects category
Base | All project default tasks deleted (DefaultTaskBulkDeletedEvent) |
---|---|
Advanced | Project pull request merge config deleted (ProjectPullRequestMergeConfigDeletedEvent) |
Full | No additional events available |
Repositories category
Base | Repository auto-merge settings changed (AutoMergeSettingsUpdatedEvent) |
---|---|
Advanced | Pull request reviewer group created (ReviewerGroupCreatedEvent) |
Full | No additional events available |
System category
Base | No additional events available |
---|---|
Advanced | SCM pull request merge config deleted (ScmPullRequestMergeConfigDeletedEvent) |
Full | No additional events available |
Security coverage area
Auditing category
Base | Audit log configuration updated |
---|---|
Advanced | No events available |
Full | No events available |
Authentication category
Base | Websudo authentication failed |
---|---|
Advanced | User logged out (LogoutSuccessEvent) |
Full | User logged in (AuthenticationSuccessEvent) User logged in (SSH) (SshAuthenticationSuccessEvent) |
Security category
Base | Secret detected (SecretDetectedEvent) |
---|---|
Advanced | Unauthorized access to a resource (AuthorizationFailureEvent) |
Full | No events available |
Two-step verification configuration category
Base | User enabled two-step verification User disabled two-step verification User reset two-step verification authentication app User regenerated two-step verification recovery key System admin disabled two-step verification for user |
---|---|
Advanced | No events available |
Full | No events available |
Identity verification category
Base | Admin logged in without two-step verification Failed login attempt with two-step verification Successful login attempt with two-step verification Failed session elevation Successful session elevation User rate-limited from failed two-step verification attempts |
---|---|
Advanced | No events available |
Full | No events available |
End user activity coverage area
Repositories category
Base | Repository accessed by user (RepositoryAccessedEvent) Run build (AnalyticsActionRunEvent) |
---|---|
Advanced | Branch created (BranchCreatedEvent) |
Full | Changes pushed to repository (RepositoryPushEvent) Changes read from repository (RepositoryOtherReadEvent) Git hook activity (RepositoryHookEvent) Repository cloned (RepositoryCloneEvent) Repository pulled (RepositoryPullEvent) Repository written to (RepositoryOtherWriteEvent) |
Pull requests category
Base | Cascading merge failed (CascadingMergeStoppedEvent) |
---|---|
Advanced | Pull request filters used (PullRequestFilterEvent) |
Full | Pull request comment changed (PullRequestCommentEditedEvent) |
Search category
Base | No events available |
---|---|
Advanced | No events available |
Full | Code search succeeded (CodeSearchSuccessfulEvent) |
Apps category
This category is for auditing events generated by third-party apps.
Bitbucket Data Center customers can set the configuration property audit.legacy.events.logging.forced=true
to move the following events from Full to Base level:
- Plugin container unavailable, Plugin module disabled, Plugin module enabled, Plugin module available, Plugin framework started
- User log in failed, User logged in, User logged in (SSH)
- Repository read event, Repository write event, Repository pull event, Repository push event, Git hook activity, Repository cloned
Note that adding these events to Base can significantly increase the size of the audit log.