Data Center Latest
Versions

audit_log_file_splunk_filebeat_sumo

_InclusionsLibrary

On this page

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community

Splunk Universal Forwarder

For Splunk Enterprise or Splunk Cloud, you can use the Splunk Universal Forwarder as your logging agent. This will involve installing the universal forwarder on each application node.

You'll also need to define each node's audit log directory as one of the forwarder's inputs. This will set the forwarder to send all logs from the audit log directory to a pre-configured receiverOne way to define the forwarder's inputs is through the Splunk CLI. For Linux systems, use the following command on each application node:

./splunk add monitor <local home directory>/log/audit/

Refer to the following links for detailed instructions on configuring the Splunk Universal Forwarder on each node:

Configuring a source type in Splunk

Source types define how Splunk indexers parse your data. That includes how to separate data into events, how to parse the events, and how to extract the timestamp from the events.

For Splunk to interpret your audit logs correctly, you’ll need to add a new source type for Atlassian Audit logs on the indexer(s), and tell the forwarders you set up to tag outgoing data with that source type.

You’ll need to create a source type named atlassian-audit with the following properties:

[atlassian-audit]

pulldown_type = true

SHOULD_LINEMERGE = false

disabled = false

category = Custom

LINE_BREAKER = ([\r\n]+)

TIME_FORMAT = %s,"nano":%9N

TIME_PREFIX = \"timestamp\":{\"epochSecond\":

For details of how to do this see how to create source types in Splunk.

After creating a source type, you’ll need to configure your forwarders to label outgoing data with the new source type. This can be done by adding the sourcetype property to the monitor you have configured in an inputs.conf file. For example:

[monitor:///path/to/jira/home/log/audit]

disabled = false

sourcetype=atlassian-audit

For more information see the following links:

Filebeat (for the ELK stack)

Within the ELK stack, you can use the Filebeat plugin to collect logs from each node's audit log files. Each time a log is written to the current audit log file, Filebeat will forward that log to Elasticsearch or Logstash.

To set this up, install Filebeat first on each application node. Then, set the audit log file directory as a Filebeat input. To do that, add its directory as a path in the filebeat.inputs section of each node's filebeat.yml configuration file. For example:

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - <local home directory>/log/audit/

Sumo Logic installed collectors

If you have a Sumo Logic instance, you can use installed collectors to collect logs from each node's audit log files. To do this, install a collector on each node first. Then, add <local home directory>/log/audit/* as a Local File Source to each node's collector.


Last modified on Apr 17, 2024

Was this helpful?

Yes
No
Provide feedback about this article

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.