Audit Confluence Using the Tomcat Valve Component

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Enable access logging int Confluence 7.11 and later

From Confluence 7.11 access logging is enabled by default. 

The log file is saved in <confluence install>/logs/conf_access_log<date>.log.

Enable access logging in Confluence 7.10 and earlier

In addition to the access logging built into Confluence's audit log, you can also configure Tomcat's Valve Component to log access.

Below are the steps on how to do this in a Confluence instance:

  1. Edit <confluence install>/conf/server.xml.
  2. Add the following line within the <Context > ... </Context>tags declaration:

    <Valve className="org.apache.catalina.valves.AccessLogValve" 
           directory="logs" 
           maxDays="30" 
           pattern="%t %{X-Forwarded-For}i %{X-AUSERNAME}o %I %h %r %s %Dms %b %{Referer}i %{User-Agent}i" prefix="conf_access_log" 
           requestAttributesEnabled="true" 
           rotatable="true" 
           suffix=".log" 
    />

    This will log the date and time (%t), the username (%{X-AUSERNAME}o), reverse proxy or load balancer IP (%h) with the client IP (%{X-Forwarded-For}i), request, and type (%s %r), the HTTP status code of the response, time taken to process the request (in milliseconds), bytes sent (excluding headers - %b), the referer (%{Referer}i), and user agent (%{User-Agent}i).  

    See Access Log valve attributes in the Tomcat 9 documentation for more information on additional attributes. 

You can access the log file at <confluence install>/logs/conf_access_log.<date>.log.

Here is an example of the log output:

[18/Dec/2020:12:57:26 +1100] 192.168.1.15 testuser http-nio-8090-exec-6 0:0:0:0:0:0:0:1 GET /index.action HTTP/1.1 200 1020ms 7881 http://localhost:8090/login.action?os_destination=%2Findex.action&permissionViolation=true Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36

To configure AccessLogValve to accept the substituted IP from RemoteIpValve the requestAttributesEnabled attribute also should be enabled (true) as shown below:

<Valve className="org.apache.catalina.valves.AccessLogValve"
       requestAttributesEnabled="true"
       ... EXISTING_ATTRIBUTES ...
/>

See Access Log valve attributes in the Tomcat 9 documentation for more information on the requestAttributesEnabled attribute.

Earlier access log pattern

If you configured the access log valve prior to Confluence 7.11, your log syntax may be different from the suggested pattern above. 

Here is our previous recommendation. 

<Valve className="org.apache.catalina.valves.AccessLogValve" 
       directory="logs" prefix="conf_access_log" 
       suffix=".log" 
       pattern="%t %{X-AUSERNAME}o %{User-Agent}i %h %m %r %b %s %D %I" 
/>

See Access Log valve attributes in the Tomcat 9 documentation for more information on each of the attributes. 

Last modified on Jun 3, 2021

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.