Auditing in Confluence

The audit log allows administrators to look back at changes that have been made in your site. This is useful when you need to troubleshoot a problem or if you need to keep a record of important events, such as changes to global permissions.

Space admins can also view the audit log for their specific space.

On this page:

Audit log features

Audit logging in Confluence Data Center has the following features:

FunctionalityAvailable in Data Center
Coverage areas(tick) Yes
Selecting coverage areas(tick) Yes
Setting database log retention(tick) Yes
Storing audit logs in two locations(tick) Yes
Integrating with 3rd party monitoring tools(tick) Yes
Exporting the latest 100,000 results(tick) Yes
Filter by category and summary(tick) Yes
Exporting filtered results(tick) Yes
Space-level audit log(tick) Yes

Audit log storage

Confluence writes audit logs to the database and a log file. The database helps to easily view, search, and export data.

The log file saves you the effort of periodically exporting your audit logs from the database for long-term storage. However, its main purpose is to easily integrate with a third-party logging platform.

For Confluence Data Center clustered instances, each node has its own log, which can be found in the <home-directory/log/audit> directory. The log is stored as a JSON file.

View the audit log

To view the global audit log in Confluence:

  1. Go to Administration menu , then General Configuration
  2. Select Audit log.
  3. Select an event to expand it and see details.

Different details will be shown depending on the event itself. These can include:

  • IP address — IP address of the user who performed the action. This is not recorded for system-generated events.
  • Load balancer/proxy IP address — IP address of the load balancer or proxy server that forwarded the request.
  • Node ID — unique ID of the cluster node where the action was performed.
  • Method — depending on how the action was performed, this will be either Browser (end user) or System (system process).

View the space audit log

System admins, Confluence admins, and space admins can also access audit logs for a specific space if they have permission to administer that space.

The space audit log records events related to space permissions and configuration, user actions within the space, and some events related to space security (for example, events related to accessing and granting permissions to restricted pages with a particular space).

To view the audit log for a specific space, go to Space tools > Audit log.

Search and filter the audit log

You can search the log by keyword, and narrow your results by date, author, and space. You can also filter by category and summary.

Your query can be up to 100 characters long. To speed up the search, we only search the most recent 1 million events. After this search is performed, you can choose to run a full database search. If you have a large or busy Confluence site, running a full search can take a while.

Can't find a specific event?

Changing coverage level changes the individual events that are logged. If you can't find a specific event, it might be because the coverage level was changed, and these events were not logged for a period of time. Check the audit log configuration events to determine if this might be the case.

Export the audit log

You can export up to 100,000 latest or filtered events as a CSV file. If you have more than 100,000 events, only the 100,000 newest events are included in the export.

To export the audit log:

  1. Go to Audit log, then select Export.
  2. Select to export the latest 100,000 or filtered results.
  3. Confirm by selecting Export.

Space admins can also export from the space-level audit log.

Edit log settings

In the audit log settings, you can decide how long you want to retain the logged events in the database and the areas from which you want to collect the logs.

Update database retention

The database retention is limited by the retention period, with a maximum of 10 million records.

To update the database retention period:

  1. Select
    More options
     > Settings.
  2. Enter the period of time. This can be in days, months, or years.
  3. Select Save.

If you choose a long retention period, it can affect the size and performance of your database. Learn more about setting an optimal retention period for your Confluence instance.

If you decide to lower the retention period, all the events that exceed the newly set period will be deleted, and disappear from the page. It's a good idea to create a backup before you lower the retention period.

If you migrated from a previous Confluence version, your default retention period is 20 years. If you have a new Confluence installation, it’s 3 years.

Select events to log

The events that are logged are organized in categories that belong to specific coverage areas.

For example, import and export-related events are logged in the Import/Export category that belongs to the Local configuration and administration coverage area. For all coverage areas and events logged in each area, see Audit log events in Confluence.

To adjust the coverage:

  1. Go to
    More options
     > Settings.
  2. In the Coverage level drop-down, select the level to log the events you need, or Off to stop collecting events from a particular area.

Coverage level definitions

Coverage levels reflect the number and frequency of events that are logged.

Coverage level

Definition

Off

Turns off logging for this coverage area.

Base

The lowest level of coverage. Logs only the core events. Base coverage provides a minimum level of insight into your site’s activity. 

Advanced

Logs all the events covered in Base, plus additional events.

Advanced coverage provides a more detailed record of your site’s activity.

Full

The highest level of coverage available. Logs all events in Base and Advanced.

Depending on your site's activity, setting your coverage level to Full can generate a large volume of events, which can impact your database and disk space.

Change the audit log file retention

You can choose how many audit log files to store in the local home directory on each node. By default we store 100 files. Make sure you've provisioned enough disk space for these files, especially if you have set the logging level to Advanced or Full. 

To change the file retention setting:

  1. Go to
    More options
    > Settings.
  2. Enter the maximum number of files to be stored per node and select Save

Once a node reaches the log file retention limit, the oldest one is deleted. If you need to keep these logs, for example for compliance purposes, you may want to manually back up the files in this directory on a regular basis, or send them to a third party logging platform. See Audit Log Integrations in Confluence.

Integrate with external software

You can use the log file to integrate with third-party tools such as ELK, Splunk, Sumologic, and Amazon CloudWatch. For more information on integrations, see Audit Log Integrations in Confluence.

Audit log and migration

Migrate database

If your database contains more than 10 million events stored in your database, and you move to a new database, only the latest 10 million will be migrated, and the remaining data will be removed.

To have access to your older events, you can create a backup before you migrate and access the data in the backup.

Migrate from a previous Confluence version

Migrating audit log records can take a while, depending on the size of the audit log and your database.

Auditing and the REST API

The audit log can also be accessed via the REST API

Last modified on Dec 10, 2024

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.