Atlassian Confluence

Collect logs from Atlassian Confluence with Elastic Agent.


Version	1.25.0 (View all)
Compatible Kibana version(s)	8.13.0 or higher
Supported Serverless project types What's this?	Security Observability
Subscription level What's this?	Basic
Level of support What's this?	Community

The Confluence integration collects audit logs from the audit log files or the audit API.

Authentication Set-Up

When setting up the Atlassian Confluence Integration for Atlassian Cloud you will need to use the "Confluence User Identifier" and "Confluence API Token" fields in the integration configuration. These will allow connection to the Atlassian Cloud REST API.

If you are using a self-hosted instance, you will be able to use either the "Confluence User Identifier" and "Confluence API Token" fields above, or use the "Personal Access Token" field to authenticate with a PAT. If the "Personal Access Token" field is set in the configuration, it will take precedence over the User ID/API Token fields.

Logs

Audit

The Confluence integration collects audit logs from the audit log files or the audit API from self hosted Confluence Data Center. It has been tested with Confluence 7.14.2 but is expected to work with newer versions. As of version 1.2.0, this integration added experimental support for Atlassian Confluence Cloud. JIRA Cloud only supports Basic Auth using username and a Personal Access Token.

Exported fields

Field	Description	Type
@timestamp	Event timestamp.	date
cloud.image.id	Image ID for the cloud instance.	keyword
confluence.audit.affected_objects	Affected Objects	flattened
confluence.audit.changed_values	Changed Values	flattened
confluence.audit.external_collaborator	Whether the user is an external collaborator user	boolean
confluence.audit.extra_attributes	Extra Attributes	flattened
confluence.audit.method	Method	keyword
confluence.audit.type.action	Action	keyword
confluence.audit.type.actionI18nKey	actionI18nKey	keyword
confluence.audit.type.area	Area	keyword
confluence.audit.type.category	Category	keyword
confluence.audit.type.categoryI18nKey	categoryI18nKey	keyword
confluence.audit.type.level	Audit Level	keyword
data_stream.dataset	Data stream dataset.	constant_keyword
data_stream.namespace	Data stream namespace.	constant_keyword
data_stream.type	Data stream type.	constant_keyword
event.dataset	Event dataset	constant_keyword
event.module	Event module	constant_keyword
host.containerized	If the host is a container.	boolean
host.os.build	OS build information.	keyword
host.os.codename	OS codename, if any.	keyword
input.type	Input type	keyword
log.offset	Log offset	long

An example event for audit looks as following:

{
    "@timestamp": "2021-11-16T09:25:56.666Z",
    "agent": {
        "ephemeral_id": "5e7e2606-c5b7-4cca-bcf6-5a9959484395",
        "id": "1f67a92c-38d3-40a8-9093-c4495a7411a3",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.10.2"
    },
    "confluence": {
        "audit": {
            "external_collaborator": false,
            "type": {
                "action": "User deactivated",
                "category": "Users and groups"
            }
        }
    },
    "data_stream": {
        "dataset": "atlassian_confluence.audit",
        "namespace": "ep",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "1f67a92c-38d3-40a8-9093-c4495a7411a3",
        "snapshot": false,
        "version": "8.10.2"
    },
    "event": {
        "action": "User deactivated",
        "agent_id_status": "verified",
        "created": "2023-11-06T13:17:04.339Z",
        "dataset": "atlassian_confluence.audit",
        "ingested": "2023-11-06T13:17:05Z",
        "kind": "event",
        "original": "{\"affectedObject\":{\"name\":\"\",\"objectType\":\"\"},\"associatedObjects\":[],\"author\":{\"accountType\":\"\",\"displayName\":\"System\",\"externalCollaborator\":false,\"isExternalCollaborator\":false,\"operations\":null,\"publicName\":\"Unknown user\",\"type\":\"user\"},\"category\":\"Users and groups\",\"changedValues\":[],\"creationDate\":1637054756666,\"description\":\"\",\"remoteAddress\":\"81.2.69.143\",\"summary\":\"User deactivated\",\"superAdmin\":false,\"sysAdmin\":false}",
        "type": [
            "info"
        ]
    },
    "input": {
        "type": "httpjson"
    },
    "related": {
        "ip": [
            "81.2.69.143"
        ]
    },
    "source": {
        "address": "81.2.69.143",
        "geo": {
            "city_name": "London",
            "continent_name": "Europe",
            "country_iso_code": "GB",
            "country_name": "United Kingdom",
            "location": {
                "lat": 51.5142,
                "lon": -0.0931
            },
            "region_iso_code": "GB-ENG",
            "region_name": "England"
        },
        "ip": "81.2.69.143"
    },
    "tags": [
        "preserve_original_event",
        "forwarded",
        "confluence-audit"
    ],
    "user": {
        "full_name": "System"
    }
}

Changelog

Version	Details	Kibana version(s)
1.25.0	Enhancement View pull request Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template.	8.13.0 or higher
1.24.0	Enhancement View pull request Set sensitive values as secret.	8.12.0 or higher
1.23.2	Enhancement View pull request Changed owners	8.7.1 or higher
1.23.1	Bug fix View pull request Fix exclude_files pattern.	8.7.1 or higher
1.23.0	Enhancement View pull request Limit request tracer log count to five.	8.7.1 or higher
1.22.0	Enhancement View pull request ECS version updated to 8.11.0.	8.7.1 or higher
1.21.1	Bug fix View pull request Resolve possible infinite pagination for Confluence Cloud.	8.7.1 or higher
1.21.0	Enhancement View pull request Improve 'event.original' check to avoid errors if set.	8.7.1 or higher
1.20.0	Enhancement View pull request Set 'community' owner type.	8.7.1 or higher
1.19.0	Enhancement View pull request ECS version updated to 8.10.0.	8.7.1 or higher
1.18.0	Enhancement View pull request The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added 'owner.type: elastic' to package manifest.	8.7.1 or higher
1.17.0	Enhancement View pull request Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.	8.7.1 or higher
1.16.2	Bug fix View pull request Ensure pagination request timestamps are properly encoded.	8.7.1 or higher
1.16.1	Bug fix View pull request Fixed cursor timestamp handling.	8.7.1 or higher
1.16.0	Enhancement View pull request Add ability to set condition for logfile logs.	8.7.1 or higher
1.15.0	Enhancement View pull request Update package to ECS 8.9.0.	8.7.1 or higher
1.14.0	Enhancement View pull request Document duration units.	8.7.1 or higher
1.13.0	Enhancement View pull request Document valid duration units.	8.7.1 or higher
1.12.0	Enhancement View pull request Ensure event.kind is correctly set for pipeline errors.	8.7.1 or higher
1.11.0	Enhancement View pull request Update package to ECS 8.8.0.	8.7.1 or higher
1.10.0	Enhancement View pull request Add a new flag to enable request tracing	8.7.1 or higher
1.9.0	Enhancement View pull request Update package-spec version to 2.7.0.	7.16.0 or higher 8.0.0 or higher
1.8.0	Enhancement View pull request Update package to ECS 8.7.0.	7.16.0 or higher 8.0.0 or higher
1.7.1	Enhancement View pull request Added categories and/or subcategories.	7.16.0 or higher 8.0.0 or higher
1.7.0	Enhancement View pull request Update package to ECS 8.6.0.	7.16.0 or higher 8.0.0 or higher
1.6.1	Bug fix View pull request Fix handling of messages with no events.	7.16.0 or higher 8.0.0 or higher
1.6.0	Enhancement View pull request Update package to ECS 8.5.0.	7.16.0 or higher 8.0.0 or higher
1.5.2	Enhancement View pull request Use ECS geo.location definition.	7.16.0 or higher 8.0.0 or higher
1.5.1	Bug fix View pull request Clarify basic authentication config options.	7.16.0 or higher 8.0.0 or higher
1.5.0	Enhancement View pull request Update package to ECS 8.4.0	7.16.0 or higher 8.0.0 or higher
1.4.1	Bug fix View pull request Fix proxy URL documentation rendering.	7.16.0 or higher 8.0.0 or higher
1.4.0	Enhancement View pull request Update package to ECS 8.3.0.	7.16.0 or higher 8.0.0 or higher
1.3.0	Enhancement View pull request Add support for Atlassian Confluence Cloud	7.16.0 or higher 8.0.0 or higher
1.2.0	Enhancement View pull request Update to ECS 8.2	—
1.1.2	Enhancement View pull request Update readme	7.16.0 or higher 8.0.0 or higher
1.1.1	Enhancement View pull request Add documentation for multi-fields	7.16.0 or higher 8.0.0 or higher
1.1.0	Enhancement View pull request Update to ECS 8.0	7.16.0 or higher 8.0.0 or higher
1.0.1	Bug fix View pull request Regenerate test files using the new GeoIP database	7.16.0 or higher 8.0.0 or higher
1.0.0	Enhancement View pull request Initial draft of the package	—

On this page

Article navigation

Authentication Set-Up

Logs

Audit

Changelog