How to audit Confluence - enabling user access logging

Often, for auditing purposes, administrators need to know who did what. Notifications are not ideally suited for this purpose. Instead, you can generate a basic log indicating which users are accessing which pages in Confluence. Application servers are able to log the requested URL, but they cannot determine the currently logged in user. This log is not currently formatted to be accessible to web log analysis tools such as AwStats as it lacks a host and get method, so must be viewed manually.

Similar to JIRA, Confluence has a built-in access logging mechanism, which shows the user and URL invoked. To enable it, you need to modify a couple of configuration files and restart Confluence.

Configuring the AccessLogFilter

There is a simple AccessLogFilter in Confluence than can be enabled via confluence/WEB-INF/classes/log4j.properties and confluence/WEB-INF/web.xml.

Please do not modify the application-wide web descriptor, $server/conf/web.xml. This will be ineffective and potentially may break Confluence.

Uncomment these line in log4j.properties:

log4j.category.com.atlassian.confluence.util.AccessLogFilter=INFO

Enable the filter in web.xml by removing the comments around these lines:
```
<filter-mapping>
    <filter-name>AccessLogFilter</filter-name>
    <url-pattern>/display/*</url-pattern>
    <url-pattern>*.action</url-pattern>
</filter-mapping>
```
Notice that the *.action pattern is added optionally to log the actions of Confluence in addition to the page views, such as user logins by specifying login.action. This combination of URL patterns will work for all URLs. You can further modify the pattern by adjusting the url-pattern field.
For troubleshooting purposes, often it is useful to capture all accesses to Confluence. To do this use this filter mapping in web.xml instead of the above:
<filter-mapping> <filter-name>AccessLogFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
Restart Confluence

This will result in logging information being stored in the atlassian-confluence.log file in the confluence-home directory.

Advanced configuration

After this is working, you could redirect the access log to a different file by adding a new RollingFileAppender at the top of log4j.properties:

log4j.appender.accesslog=org.apache.log4j.RollingFileAppender
log4j.appender.accesslog.Threshold=DEBUG
log4j.appender.accesslog.File=${catalina.home}/logs/atlassian-confluence-access.log
log4j.appender.accesslog.MaxFileSize=20480KB
log4j.appender.accesslog.MaxBackupIndex=5
log4j.appender.accesslog.layout=com.atlassian.confluence.util.PatternLayoutWithStackTrace
log4j.appender.accesslog.layout.ConversionPattern=%d %p [%c{4}] %M %m%n

Find this line:

#log4j.category.com.atlassian.confluence.util.AccessLogFilter=INFO

Change it to this:

log4j.category.com.atlassian.confluence.util.AccessLogFilter=INFO, accesslog
log4j.additivity.com.atlassian.confluence.util.AccessLogFilter=false

The web.xml url-pattern given above only matches page views (/display/*). You could change the url-pattern, or duplicate the entire filter-mapping to log access for different kinds of access (/admin/* for admin functions, /pages/* for edits and creates, etc. Note that /pages/editpage.action* doesn't work).

What is logged

The format produced is the following values separated by spaces:

Username or '-' if no user
URL
VM free memory at start of request (in KB)
Change in free memory after request is finished (in KB)
Time taken for request (in ms).
Remote address

Example:

2008-08-08 10:33:05,359 INFO [atlassian.confluence.util.AccessLogFilter] init AccessLogFilter initialized. Format is: <user> <url> <starting memory free (kb)> +- <difference in free mem (kb)> <query time (ms)> <remote address>
2008-08-08 10:47:27,015 INFO [atlassian.confluence.util.AccessLogFilter] doFilter admin http://localhost:8080/display/ds 42025-154 15 127.0.0.1
2008-08-08 10:47:27,187 INFO [atlassian.confluence.util.AccessLogFilter] doFilter admin http://localhost:8080/display/ds/Confluence+Overview 41805+982 172 127.0.0.1
2008-08-08 10:47:36,296 INFO [atlassian.confluence.util.AccessLogFilter] doFilter admin http://localhost:8080/display/ds/Breadcrumb+demonstration 42102-6660 156 127.0.0.1
2008-08-08 11:08:16,875 INFO [atlassian.confluence.util.AccessLogFilter] doFilter admin http://localhost:8080/display/ds/test+firelite 34362-1616 188 127.0.0.1
2008-08-08 11:47:01,890 INFO [atlassian.confluence.util.AccessLogFilter] doFilter admin http://localhost:8080/display/sand 59711-148 0 127.0.0.1
2008-08-08 11:47:02,171 INFO [atlassian.confluence.util.AccessLogFilter] doFilter admin http://localhost:8080/display/sand/Home 59497-2302 234 127.0.0.1
2008-08-08 11:47:04,500 INFO [atlassian.confluence.util.AccessLogFilter] doFilter admin http://localhost:8080/display/ds/Tasklist 57124+155 1266 127.0.0.1

The above may be preceded by additional log4j-generated text, depending on the log4j pattern which is configured.

Other options:

1. Google Analytics

Google Analytics can be easily integrated with Confluence for access tracking.

After signing up, copy the Javascript and paste it into the 'Before end of <body>' section of Administration, Custom HTML. This will put the Javascript on every page generated by Confluence.

This might not work correctly if your users are behind a firewall or authenticated proxy.

For more information on using Google Analytics with Confluence you may wish to refer to this blog post by David Simpson.

2. Tomcat Valve Component access log

Refer to How to Audit Confluence Using Tomcat Valve Component.

Page tree