Summary
When using the audit logs of the organization, for Enterprise instances, it will display events such as page viewed, edited, and deleted, for Confluence.
When a draft is deleted, it is also recorded but does not state that this is a draft. This means that if a blank draft is deleted, it only records the following, not displaying a page name:
Deleted confluence page
This might bring confusion to organization administrators because:
- This could mean that a page was deleted, but not properly recorded.
- When Confluence's internal automation job runs in order to delete blank drafts, it does not have an "actor", stating that this was done by an Anonymous user in the logs, making admins believe that someone is deleting pages.
- The admin could search for the page in Confluence's trash, but it would not be visible because a draft is not sent to the trash for the space.
Suggestion
To avoid confusion, this is a suggestion to implement the following information to the audit logs in regards to the deletion of (blank) drafts:
- State that it is a draft.
- For blank drafts, state that it is a blank draft being deleted instead of an empty title.
- For the automation, either associate it with a user or allow the audit logs to add a name to it (I.E. Confluence Automation - Draft deletion)
JRACLOUD-79986 [Tracking in Issue Links] Site-level audit log feature requests
CST JAC Workato Bot
made changes -
Please do something about this, we also found a large deletion thread in our instance, and as for now we can only trust Atlassian that it was not really an anonymous intruder but a normal/internal process which did that.
It is raising a major security concern on our end.
Thanks.
Philippe.
Note: I would suggest that you also log differently draft and page deletion, even for regular user. So that when we try to find a pageID that was deleted, we know that it is useless to look for it in spaces trash.