How to track user actions with page access logging

Occasionally one wishes to get an overall picture of which users are accessing which pages in JIRA. Application servers are able to log the requested URL, but (it seems) they cannot determine the currently logged in user (probably because they run before the Seraph filter has a chance to set request.getRemoteUser()).

Similar to Confluence, JIRA 3.3 and above has a built-in URL logging mechanism, which shows the user and URL invoked:

(info) Please note, as of JIRA 4.1, some of this functionality is now available via the Administration interface. See Viewing User Sessions for more details.

On this page:

2005-07-15 18:10:19,276 INFO [JIRACOM:jira.web.filters.AccessLogFilter] AccessLogFilter initialized. Format is: <user> <url> <starting memory free (kb)> +- <difference in free mem (kb)> <query time (ms)>
2005-07-15 18:10:20,523 INFO [JIRACOM:jira.web.filters.AccessLogFilter] joe http://localhost:8090/jira/secure/admin/jira/ViewLogging.jspa 109687-110 35
2005-07-15 18:10:20,523 INFO [JIRACOM:jira.web.filters.AccessLogFilter] joe http://localhost:8090/jira/secure/admin/jira/ViewLogging.jspa 109687-110 35
2005-07-15 18:15:59,709 INFO [JIRACOM:jira.web.filters.AccessLogFilter] joe http://localhost:8090/jira/secure/IssueNavigator.jspa 115762-3000 2385
2005-07-15 18:15:59,709 INFO [JIRACOM:jira.web.filters.AccessLogFilter] joe http://localhost:8090/jira/secure/IssueNavigator.jspa 115762-3000 2385
2005-07-15 18:26:53,916 INFO [JIRACOM:jira.web.filters.AccessLogFilter] joe http://localhost:8090/jira/logout 108756 1
2005-07-15 18:26:53,916 INFO [JIRACOM:jira.web.filters.AccessLogFilter] joe http://localhost:8090/jira/logout 108756 1
2005-07-15 18:26:54,306 INFO [JIRACOM:jira.web.filters.AccessLogFilter] joe http://localhost:8090/jira/secure/Logout!default.jspa 116660-2809 279
2005-07-15 18:26:54,306 INFO [JIRACOM:jira.web.filters.AccessLogFilter] joe http://localhost:8090/jira/secure/Logout!default.jspa 116660-2809 279
2005-07-15 18:27:01,380 INFO [JIRACOM:jira.web.filters.AccessLogFilter] - http://localhost:8090/jira/default.jsp 116393-512 42
2005-07-15 18:27:01,380 INFO [JIRACOM:jira.web.filters.AccessLogFilter] - http://localhost:8090/jira/default.jsp 116393-512 42
2005-07-15 18:27:01,472 INFO [JIRACOM:jira.web.filters.AccessLogFilter] - http://localhost:8090/jira/secure/Dashboard.jspa 115881-809 87
2005-07-15 18:27:01,472 INFO [JIRACOM:jira.web.filters.AccessLogFilter] - http://localhost:8090/jira/secure/Dashboard.jspa 115881-809 87

Here you can see user 'joe' enable access logging, then log out, and view the dashboard anonymously.

Usage in JIRA 3.x

URL logging is disabled in JIRA by default. To turn it on:

  2. Change the log level for AccessLogFilter from WARN to INFO. To make this change permanent, you would need to edit the corresponding section in WEB-INF/classes/log4j.properties on disk, changing:
log4j.category.com.atlassian.jira.web.filters.AccessLogFilter = WARN, console, filelog
log4j.additivity.com.atlassian.jira.web.filters = false

to:

log4j.category.com.atlassian.jira.web.filters.AccessLogFilter = INFO, console, filelog
log4j.additivity.com.atlassian.jira.web.filters = false

and then restart JIRA.

Usage in JIRA 4.x

URL logging is disabled in JIRA by default. To turn it on:

  2. Click the 'Enable' link on 'HTTP Access Logging' and 'SOAP Access Logging'.

Note, the user access logs are not outputtedĀ  to the atlassian-jira.log file, the http logs are written to <JIRA Data folder>/log/atlassian-jira-http-access.log and SOAP logs are written to <JIRA Data folder>/log/atlassian-jira-soap-access.log

Application Server Access Logs

JIRA's application server (Apache Tomcat) can also produce access logs. These are enabled by default in JIRA and result in logs/access_log.<date>.log files being generated in your JIRA Installation Directory. If you are using JIRA WAR, this feature may be enabled in the conf/server.xml file (of the Tomcat application server installation running JIRA) by adding the following line before </Context>:

<Valve className="org.apache.catalina.valves.AccessLogValve" pattern="%h %l %u %t &quot;%r&quot; %s %b %T %S" resolveHosts="false" />

You will need to restart JIRA for the changes to take effect.

The Apache Tomcat Access Log Valve documentation describes each of the above parameters.

This will generate logs that include the IP address, like:

127.0.0.1 - - [19/Oct/2006:12:38:09 +0800] "GET / HTTP/1.1" 302 - 0.240 -
127.0.0.1 - - [19/Oct/2006:12:38:09 +0800] "GET / HTTP/1.1" 302 - 0.243 -
127.0.0.1 - - [19/Oct/2006:12:38:11 +0800] "GET /secure/Setup!default.jspa HTTP/1.1" 302 - 1.732 39F9C7F048F7F060A4B9883A7348082D
127.0.0.1 - - [19/Oct/2006:12:38:16 +0800] "GET /secure/Setup!input.jspa?title=Your+Company+JIRA&mode=public HTTP/1.1" 200 24678 4.885 39F9C7F048F7F060A4B9883A7348082D
127.0.0.1 - - [19/Oct/2006:12:38:24 +0800] "GET /styles/global.css HTTP/1.1" 200 548 0.213 39F9C7F048F7F060A4B9883A7348082D
127.0.0.1 - - [19/Oct/2006:12:38:26 +0800] "GET /secure/Setup!input.jspa?title=Your+Company+JIRA&mode=public HTTP/1.1" 200 24678 0.443 39F9C7F048F7F060A4B9883A7348082D
127.0.0.1 - - [19/Oct/2006:12:38:26 +0800] "GET /styles/global.css HTTP/1.1" 200 548 0.001 39F9C7F048F7F060A4B9883A7348082D
127.0.0.1 - - [19/Oct/2006:12:38:28 +0800] "GET /includes/js/combined-javascript.js HTTP/1.1" 200 65508 1.712 39F9C7F048F7F060A4B9883A7348082D
127.0.0.1 - - [19/Oct/2006:12:38:28 +0800] "GET /includes/js/combined-javascript.js HTTP/1.1" 200 65508 4.386 39F9C7F048F7F060A4B9883A7348082D

Related pages

Regular Expression: ([U,u]ser.*[A,a]ccess.*[L,l]og)