How to analyze the atlassian-jira-security.log file

Related content

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform Notice: Data Center - This article applies to Atlassian products on the Data Center platform.

Note that this knowledge base article was created for the Data Center version of the product. Data Center knowledge base articles for non-Data Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

The atlassian-jira-security.log file is a valuable resource for auditing user login and session events. Some situations where you'd want to use it include:

  • You suspect a user account has been compromised.
  • One or more users can't log in.
  • Requests to the REST API return a 403 status code.

For auditing, the security log can be used in conjunction with the Tomcat access log and Jira audit log. The security log is not comprehensive and won't include exceptions, such as LDAP connection errors.

Environment

Jira 4.1.2 or later. Formatting varies slightly on 9.5.0 and later due to Jira's migration to Log4j2.

Solution

Columns

There are eight columns included in each log entry:

Timestamp

Current system time.

Format: year-month-day hour:minute:second,millisecond-timezone

Examples: 2023-05-05 13:35:42,472-0700, 2023-07-31 17:40:07,403-0400

Thread name

The reporting thread. Most activity occurs on the HTTP(S) worker threads.

Examples: http-nio-8080-exec-1, https-openssl-nio-443-exec-1, Catalina-utility-1

Jira username

The user responsible for the action. Some records are attributed to anonymous since the session is currently unauthenticated.

Examples: charlie, agrant, anonymous

Request ID

Unique ID for this HTTP request. Generated by concatenating the number of seconds elapsed today, the number of requests since the last restart, and the number of concurrent requests.

Examples: 817x51x1, 658x132235x3

Atlassian Session ID

Unique ID for this HTTP session. A single user may consume multiple sessions while using Jira. Sessions are destroyed when a user logs in, a user logs out, or it reaches the session-timeout value set in Jira's web.xml.

Examples: 1qybhny, ymubth

IP address

The origin IP address. If Jira is configured through a reverse proxy, the X-Forwarded-For header passes the IP address of the request origin.

Format: origin,proxy

Examples: 0:0:0:0:0:0:0:1, 0:0:0:0:0:0:0:1,0:0:0:0:0:0:0:1

Request URL

The URL attempting to be accessed. On Jira 9.5 and later, this includes the context path (commonly /jira).

Examples: /jira/rest/gadget/1.0/login, /secure/admin/WebSudoAuthenticate.jspa

Message body

The logged message.

Examples: The user 'charlie' has PASSED authentication., HttpSession created [1t0fbqg]

Example Events

A user logs in 
2023-07-31 17:30:52,166-0700 http-nio-8080-exec-3 url: /jira/login.jsp anonymous 1050x58x1 fuiaqf 0:0:0:0:0:0:0:1 /login.jsp HttpSession [fuiaqf] destroyed for 'anonymous'
2023-07-31 17:30:52,166-0700 http-nio-8080-exec-3 url: /jira/login.jsp anonymous 1050x58x1 fuiaqf 0:0:0:0:0:0:0:1 /login.jsp HttpSession created [cxlgqg]
2023-07-31 17:30:52,182-0700 http-nio-8080-exec-3 url: /jira/login.jsp charlie 1050x58x1 fuiaqf 0:0:0:0:0:0:0:1 /login.jsp The user 'charlie' has PASSED authentication.
A user logs out 
2023-07-31 17:32:00,120-0700 http-nio-8080-exec-25 url: /jira/secure/Logout!default.jspa; user: charlie charlie 1052x77x1 cxlgqg 0:0:0:0:0:0:0:1 /secure/Logout!default.jspa HttpSession [cxlgqg] destroyed for 'charlie'
2023-07-31 17:32:00,120-0700 http-nio-8080-exec-25 url: /jira/secure/Logout!default.jspa; user: charlie charlie 1052x77x1 cxlgqg 0:0:0:0:0:0:0:1 /secure/Logout!default.jspa HttpSession created [jwk8ar]
2023-07-31 17:32:00,120-0700 http-nio-8080-exec-25 url: /jira/secure/Logout!default.jspa; user: charlie charlie 1052x77x1 cxlgqg 0:0:0:0:0:0:0:1 /secure/Logout!default.jspa The user 'charlie' has logged out.
A user fails to login (incorrect password or user doesn't exist) 
2023-07-31 17:34:29,730-0700 http-nio-8080-exec-9 url: /jira/login.jsp anonymous 1054x92x1 - 0:0:0:0:0:0:0:1 /login.jsp HttpSession created [17484nb]
2023-07-31 17:34:45,648-0700 http-nio-8080-exec-12 url: /jira/login.jsp anonymous 1054x118x1 17484nb 0:0:0:0:0:0:0:1 /login.jsp login : 'charlie' tried to login but they do not have USE permission or weren't found. Deleting remember me cookie.
2023-07-31 17:34:45,648-0700 http-nio-8080-exec-12 url: /jira/login.jsp anonymous 1054x118x1 17484nb 0:0:0:0:0:0:0:1 /login.jsp The user 'charlie' has FAILED authentication.  Failure count equals 1
A user fails to login (missing/incorrect CAPTCHA) 
2023-07-31 17:37:26,307-0700 http-nio-8080-exec-25 url: /jira/login.jsp anonymous 1057x166x1 jwk8ar 0:0:0:0:0:0:0:1 /login.jsp The user 'charlie' is required to answer a CAPTCHA elevated security check.  Failure count equals 4
A user fails to login (no application access) 
2023-07-31 17:40:07,813-0700 http-nio-8080-exec-21 url: /jira/login.jsp anonymous 1060x269x1 - 0:0:0:0:0:0:0:1 /login.jsp HttpSession created [4rktip]
2023-07-31 17:40:12,699-0700 http-nio-8080-exec-23 url: /jira/login.jsp anonymous 1060x295x1 4rktip 0:0:0:0:0:0:0:1 /login.jsp The user 'charlie' is NOT AUTHORIZED to perform to login for this request
2023-07-31 17:40:12,699-0700 http-nio-8080-exec-23 url: /jira/login.jsp anonymous 1060x295x1 4rktip 0:0:0:0:0:0:0:1 /login.jsp login : 'charlie' tried to login but they do not have USE permission or weren't found. Deleting remember me cookie.
2023-07-31 17:40:12,710-0700 http-nio-8080-exec-23 url: /jira/login.jsp anonymous 1060x295x1 4rktip 0:0:0:0:0:0:0:1 /login.jsp The user 'charlie' is NOT AUTHORIZED to perform this request

Last modified on Dec 5, 2024

Was this helpful?

Yes
No
Provide feedback about this article

Related content

Powered by Confluence and Scroll Viewport.