How to Send Bitbucket audit logs to another appender
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
- In Bitbucket 7.0 the audit logging changed
When that changed occurred the following conditional was added to the
logback-spring.xml:<springProperty scope="context" name="enableLegacyAuditLog" source="audit.legacy.log" defaultValue="false"/> <if condition='property("enableLegacyAuditLog").equals("true")'> <then> <appender name="bitbucket.auditlog" class="ch.qos.logback.core.rolling.RollingFileAppender"> <encoder> <charset>UTF-8</charset> <pattern>%m%n</pattern> </encoder> <file>${log.dir}/audit/atlassian-bitbucket-audit.log</file> <rollingPolicy class="ch.qos.logback.core.rolling.SizeAndTimeBasedRollingPolicy"> <fileNamePattern>${log.dir}/audit/atlassian-bitbucket-audit-%d.%i.log.gz</fileNamePattern> <maxFileSize>25MB</maxFileSize> <maxHistory>100</maxHistory> </rollingPolicy> </appender> <!-- Enable audit logging and direct it to its own separate appender if it is enabled --> <logger name="bitbucket.audit-log" level="DEBUG" additivity="true"> <appender-ref ref="bitbucket.auditlog"/> </logger> </then> </if>
- This conditional checks to see if legacy audit logging is enabled and if so it will revert to writing to the logfile specified in the appender definition
Environment
7.0 and up
Solution
Audit logging can be written to
SYSLOGby adding changes inside the conditional and changing the facility attribute toUSERinstead of using the standardAUTH value, eg.:<springProperty scope="context" name="enableLegacyAuditLog" source="audit.legacy.log" defaultValue="false"/> <if condition='property("enableLegacyAuditLog").equals("true")'> <then> <appender name="bitbucket.auditlog" class="ch.qos.logback.core.rolling.RollingFileAppender"> <encoder> <charset>UTF-8</charset> <pattern>%m%n</pattern> </encoder> <file>${log.dir}/audit/atlassian-bitbucket-audit.log</file> <rollingPolicy class="ch.qos.logback.core.rolling.SizeAndTimeBasedRollingPolicy"> <fileNamePattern>${log.dir}/audit/atlassian-bitbucket-audit-%d.%i.log.gz</fileNamePattern> <maxFileSize>25MB</maxFileSize> <maxHistory>100</maxHistory> </rollingPolicy> </appender> <appender name="SYSLOG" class="ch.qos.logback.classic.net.SyslogAppender"> <syslogHost>172.28.128.103</syslogHost> <facility>USER</facility> <port>514</port> <suffixPattern>[%thread] %logger %msg</suffixPattern> </appender> <!-- Enable audit logging and direct it to its own separate appender if it is enabled --> <logger name="bitbucket.audit-log" level="DEBUG" additivity="true"> <appender-ref ref="bitbucket.auditlog"/> <appender-ref ref="SYSLOG"/> </logger> </then> </if>
Legacy audit logging must be enabled by adding the following to the
$BITBUCKET_HOME/shared/bitbucket.propertiesfile:audit.legacy.log=true
The audit logging is written to
SYSLOGduring startup:Apr 29 13:33:44 vagrant [audit-broker-consumer-thread-707705260] bitbucket.audit-log - | Plugin enabled | System | 1619703186185 | com.atlassian.prettyurls.atlassian-pretty-urls-plugin | - | - | - Apr 29 13:33:44 vagrant [audit-broker-consumer-thread-707705260] bitbucket.audit-log - | Plugin enabled | System | 1619703186192 | com.atlassian.soy.soy-template-plugin | - | - | - Apr 29 13:33:44 vagrant [audit-broker-consumer-thread-707705260] bitbucket.audit-log - | Plugin enabled | System | 1619703186200 | com.atlassian.stash.plugins.stash-remote-event-bitbucket-server-spi | - | - | - Apr 29 13:33:44 vagrant [audit-broker-consumer-thread-707705260] bitbucket.audit-log - | Plugin enabled | System | 1619703186244 | com.atlassian.troubleshooting.plugin-bitbucket | - | - | - Apr 29 13:33:44 vagrant [audit-broker-consumer-thread-707705260] bitbucket.audit-log - | Plugin enabled | System | 1619703186251 | com.atlassian.webhooks.atlassian-webhooks-plugin | - | - | - Apr 29 13:33:44 vagrant [audit-broker-consumer-thread-707705260] bitbucket.audit-log - | Plugin enabled | System | 1619703186252 | com.springsource.net.jcip.annotations-1.0.0 | - | - | - Apr 29 13:33:44 vagrant [audit-broker-consumer-thread-707705260] bitbucket.audit-log - | Plugin enabled | System | 1619703186259 | tac.bitbucket.languages.de_DE | - | - | - Apr 29 13:33:44 vagrant [audit-broker-consumer-thread-707705260] bitbucket.audit-log - | Plugin enabled | System | 1619703186269 | tac.bitbucket.languages.fr_FR | - | - | - Apr 29 13:33:44 vagrant [audit-broker-consumer-thread-707705260] bitbucket.audit-log - | Plugin enabled | System | 1619703186286 | tac.bitbucket.languages.ja_JP | - | - | - Apr 29 13:35:16 vagrant systemd-networkd[1591]: eth1: DHCP: No routes received from DHCP server: No data available
As well as when an operation in the
BASEaudit scope like creating or deleting a user is performed:Apr 29 13:42:28 vagrant [audit-broker-consumer-thread-707705260] bitbucket.audit-log 172.28.128.1 | User deleted | nhansberry | 1619703748024 | test | - | - | -
- During testing, adding the appenders outside the conditional did not work and legacy audit logging had to be enabled in the properties file.
Legacy Audit logging will be deprecated as per our properties page: https://confluence.atlassian.com/bitbucketserver/configuration-properties-776640155.html#Configurationproperties-Audit
See also: BSERV-12844 - Getting issue details... STATUS