New auditing features coming to Server/Data Center - What you need to know

We’re excited to announce our plans to release a new and improved set of Jira, Confluence and Bitbucket auditing functionality to our Server and Data Center customers.

In this document we want to walk the vendor community through these improvements ahead of release to allow appropriate planning and assist in better taking advantage of the newly introduced APIs.

Core points

  1. Core auditing functionality has been re-implemented as a cross-product, cross-platform plugin. While the same plugin is used for both Server and Data Center, some differing functionality is exposed to the customer depending on their license.
  2. We expose a new management experience to help customers choose the right level of event coverage and retention to suit their organisation. Customers are able to configure the audit coverage in multiple areas based on the following levels:
    1… Base: Logs core events. This provides a minimum level of insight into the instance activity.
    2… [Data Center only] Advanced - Logs more than just core events. This provides a more detailed picture of instance activity.
    3… [Data Center only] Full - Logs all events for a comprehensive record of the instance activity.
    4… Off - Turns off logging for this area.
  3. The changes introduce improved search and filtering capabilities.
  4. [Data Center only] The new auditing framework includes a significant expansion of Audit Event coverage across the products for a more complete record of the customer instance.
  5. [Data Center only] Customers will now be able to selectively export audit log results.
  6. [Data Center only] We’ve added write to file functionality for integration with best of breed log consumption tools like Splunk and ELK.

Milestone features

Milestone 1 Milestone 1.1
Updated UI Audit Contents Translation support
File externalization People & Project filters
Coverage/Retention Controls Increased coverage
Export and selective export
Object Linking (user and location)
Full text search and time filter
Audit Delegation (users can see audit logs of project/space/etc they have admin permissions for)

Planned versions for release

The following product releases are expected to contain the new auditing framework

  1. Bitbucket 7.0 - Milestone 1
  2. Jira 8.8 - Milestone 1.1
  3. Confluence 7.5 - Milestone 1.1
  4. Bitbucket 7.2 - Milestone 1.1

Experience

Milestone 1 audit log view

Milestone 1 audit log settings view

Vendor interactions

A few principles which may be of particular note to the vendor community:

  1. The database is ephemeral and should be used by customers for short/medium-term storage. Long term retention is achieved using the write to file integration, or manual export.
  2. Security events, data egress and data removal events are critical events for logging.
  3. High-frequency audit events should be put in the Full category.

New APIs

There are two new APIs for producing and consuming auditing events.

Producing events
  1. Import com.atlassian.audit.api.AuditService , can be done via
  2. in atlassian-plugin-xml
  3. spring scanner, i.e. @ComponentImport
  4. spring java configuration
  5. spring xml configuration
  6. invoke void audit(@Nonnull AuditEvent event) method, for example
auditService.audit(AuditEvent.builder("actionName", "categoryName", BASE)
    .affectedObject(AuditResource.builder("project1", "Project").id("100").build())
    .changedValue(new ChangedValue("desc", "old", "new"))
    .build());
Consuming events
  1. Implement com.atlassian.audit.api.AuditConsumer
public class MyConsumer implements AuditConsumer {
    @Override
    public void accept(@Nonnull List<AuditEntity> entities) {
        requireNonNull(entities, "entities").forEach(System.out::println);
    }
}
  1. Export the component (MyConsumer) to osgi via
  • in atlassian-plugin-xml
  • spring scanner, i.e. @ExportAsService
  • spring java configuration
  • spring xml configuration

Where can I see this in action

Vendors can check out the BB 7.0 EAP to see Milestone 1 in action today:

EAP Announcement Link

Ben Magro
Data Center - Product Manager

7 Likes

When I use the Jira Java API in my Jira addon, are these method calls automatically included in the audit e.g.

  • ProjectManager (com.atlassian.jira.project.ProjectManager)
  • VersionManager (com.atlassian.jira.project.version.VersionManager)
  • OptionsManager (com.atlassian.jira.issue.customfields.manager.OptionsManager)
  • ProjectComponentManager (com.atlassian.jira.bc.project.component.ProjectComponentManager)
  • PermissionManager (com.atlassian.jira.security.PermissionManager)
3 Likes

In Jira 8.8
Components audited : (AuditService.audit() will be invoked):

  • ProjectManager (com.atlassian.jira.project.ProjectManager)
  • VersionManager (com.atlassian.jira.project.version.VersionManager)
  • ProjectComponentManager (com.atlassian.jira.bc.project.component.ProjectComponentManager)

Components are NOT audited:

  • OptionsManager (com.atlassian.jira.issue.customfields.manager.OptionsManager)
  • PermissionManager (com.atlassian.jira.security.PermissionManager)
1 Like

Is there a documentation available where this is listed? Would be useful to have this documented e.g. in the JavaDoc API documentation.

1 Like