Auditing in Confluence
Main differences between auditing in Server and Data Center
The auditing feature works differently in Confluence Server and Confluence Data Center.
|Functionality||Available in Server||Available in Data Center|
|Coverage areas|| Yes|
(fewer coverage areas than Data Center)
|Selecting coverage areas||No (only Base or Off)||Yes|
|Setting database log retention||Yes||Yes|
|Storing audit logs in two locations||No||Yes|
|Integrating with 3rd party monitoring tools||No||Yes|
|Exporting latest 100,000 results||Yes||Yes|
|Filter by category and summary||No||Yes|
|Exporting filtered results||Yes||Yes|
|Space level audit log||No||Yes|
View the audit log
To view the global audit log in Confluence:
- Go to > General Configuration
- Select Audit log
- Select an event to expand it and see details.
Different details will be shown depending on the event itself. These can include:
- IP address – IP address of the user who performed the action. This is not recorded for system-generated events.
- Load balancer/proxy IP address – IP address of the load balancer or proxy server that forwarded the request.
- Node ID – unique ID of the cluster node where the action was performed.
- Method – depending on how the action was performed, this will be either Browser (end user) or System (system process).
View the space audit log (Data Center)
System admins, Confluence admins and space admins can also access audit logs for a specific space, if they have permission to administer that space.
The space audit log records events related to space permissions and configuration, user actions within the space, and some events related to space security (for example, events related to accessing and granting permissions to restricted pages with a particular space).
To view the audit log for a specific space, go to Space tools > Audit log.
Search and filter the audit log
You can search the log by keyword, and narrow your results by date, author, and space. If you have a Data Center license you can also filter by category and summary.
To speed up the search, we only search the most recent 1 million events. After this search is performed, you can choose to run a full database search. If you have a large or busy Confluence site, running a full search can take a while.
Can't find a specific event?
Changing coverage level changes the individual events that are logged. If you can't find a specific event, it might be because coverage level was changed, and these events were not logged for a period of time. Check the audit log configuration events to determine if this might be the case.
Edit log settings
In the audit log settings you can decide how long you want to retain the logged events in the database, and the areas from which you want to collect the logs.
Update database retention
The database retention is limited by the retention period, with a maximum of 10 million records.
To update the database retention period:
- Select more options > Settings.
- Enter the period of time. This can be in days, months or years.
- Select Save.
If you choose a long retention period, it can affect the size and performance of your database. Learn more about setting an optimal retention period for your Confluence instance.
If you decide to lower the retention period, all the events that exceed the newly set period will be deleted, and disappear from the page. It's a good idea to create a backup before you lower the retention period.
If you migrated from a previous Confluence version, your default retention period is 20 years. If you have a new Confluence installation, it’s 3 years.
Select events to log
The events that are logged are organized in categories that belong to specific coverage areas.
For example, import and export-related events are logged in the Import/Export category, that belongs to the Local configuration and administration coverage area. For all coverage areas and events logged in each area, see Audit log events in Confluence.
To adjust the coverage:
- Go to more options > Settings.
- In the Coverage level drop-down, select the level to log the events you need, or Off to stop collecting events from a particular area.
Coverage level definitions
Coverage levels reflect the number and frequency of events that are logged. Some coverage levels are only available with a Data Center license.
Turns off logging for this coverage area.
The lowest level of coverage. Logs only the core events. Base coverage provides a minimum level of insight into your site’s activity. If you have a Confluence Server license, this is the only coverage level available.
Advanced (Data Center only)
Logs all the events covered in Base, plus additional events.
Advanced coverage provides a more detailed record of your site’s activity.
Full (Data Center only)
The highest level of coverage available. Logs all events in Base and Advanced.
Depending on your site's activity, setting your coverage level to Full can generate a large volume of events, which can impact your database and disk space.
Export the audit log
You can export up to 100,000 latest or filtered events as a CSV file. If you have more than 100,000 events, only the 100,000 newest events are included in the export.
To export the audit log:
- Go to Audit log, then choose Export.
- Select to export the latest 100,000 or filtered results.
- Confirm by clicking Export.
Space admins can also export from the space level audit log.
Access the audit log file (Data Center)
For Confluence Data Center, each node has its own log, which can be found in the
<local-home>/log/audit directory. The log is stored as a JSON file.
Confluence creates a new log file every 24 hours, or once the current one reaches 100 MB, whichever occurs first. For more details on log rotation, see Audit Log Integrations in Confluence.
Change the audit log file retention
You can choose how many audit log files to store in the local home directory on each node. By default we store 100 files. Make sure you've provisioned enough disk space for these files, especially if you have set the logging level to Advanced or Full.
To change the file retention setting:
- Go to > Audit log. > General Configuration
- Select Settings.
- Enter the maximum number of files to be stored and select Save.
Once a node reaches the log file retention limit, the oldest one is deleted. If you need to keep these logs, for example for compliance purposes, you may want to manually back up the files in this directory on a regular basis, or send them to a third party logging platform. See Audit Log Integrations in Confluence.
Integrate with external software (Data Center)
You can use the log file to integrate with third-party tools such as ELK, Splunk, Sumologic, and Amazon CloudWatch. For more information on integrations, see Audit Log Integrations in Confluence.
Audit log and migration
If you have more that 10 million events stored in your database, and you move to a new database, only the latest 10 million will be migrated, and the remaining data will be removed.
To have access to your older events, you can create a backup before you migrate and access the data in the backup.
Migrate from a previous Confluence version
Migrating audit log records can take a while, depending on the size of the audit log and your database.
Auditing and the REST API
The audit log can also be accessed via the REST API.