Uploaded image for project: 'Bitbucket Server'
  1. Bitbucket Server
  2. BSERV-12844

As an admin I would like the ability to configure where audit logging is sent even after legacy audit logging is deprecated in Bitbucket version 8

    XMLWordPrintable

    Details

    • Feedback Policy:
      We collect Bitbucket feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      Description

      Problem Description

      • In Bitbucket 7.0 the audit logging changed
      • When that changed occurred the following conditional was added to the logback-spring.xml:
        <springProperty scope="context" name="enableLegacyAuditLog"
                                    source="audit.legacy.log" defaultValue="false"/>
                    <if condition='property("enableLegacyAuditLog").equals("true")'>
                        <then>
                            <appender name="bitbucket.auditlog" class="ch.qos.logback.core.rolling.RollingFileAppender">
                                <encoder>
                                    <charset>UTF-8</charset>
                                    <pattern>%m%n</pattern>
                                </encoder>
                                <file>${log.dir}/audit/atlassian-bitbucket-audit.log</file>
                                <rollingPolicy class="ch.qos.logback.core.rolling.SizeAndTimeBasedRollingPolicy">
                                    <fileNamePattern>${log.dir}/audit/atlassian-bitbucket-audit-%d.%i.log.gz</fileNamePattern>
                                    <maxFileSize>25MB</maxFileSize>
                                    <maxHistory>100</maxHistory>
                                </rollingPolicy>
                            </appender>
                            <!-- Enable audit logging and direct it to its own separate appender if it is enabled -->
                            <logger name="bitbucket.audit-log" level="DEBUG" additivity="true">
                                <appender-ref ref="bitbucket.auditlog"/>
                           </logger>
                        </then>
                    </if>
        
      • This conditional checks to see if legacy audit logging is enabled and if so it will revert to writing to the logfile specified in the appender definition
      • I was able to get audit logging written to SYSLOG by adding changes inside the conditional and using the facility attribute USER eg.:
        <springProperty scope="context" name="enableLegacyAuditLog"
                                    source="audit.legacy.log" defaultValue="false"/>
                    <if condition='property("enableLegacyAuditLog").equals("true")'>
                        <then>
                            <appender name="bitbucket.auditlog" class="ch.qos.logback.core.rolling.RollingFileAppender">
                                <encoder>
                                    <charset>UTF-8</charset>
                                    <pattern>%m%n</pattern>
                                </encoder>
                                <file>${log.dir}/audit/atlassian-bitbucket-audit.log</file>
                                <rollingPolicy class="ch.qos.logback.core.rolling.SizeAndTimeBasedRollingPolicy">
                                    <fileNamePattern>${log.dir}/audit/atlassian-bitbucket-audit-%d.%i.log.gz</fileNamePattern>
                                    <maxFileSize>25MB</maxFileSize>
                                    <maxHistory>100</maxHistory>
                                </rollingPolicy>
                            </appender>
                            <appender name="SYSLOG" class="ch.qos.logback.classic.net.SyslogAppender">
                                    <syslogHost>172.28.128.103</syslogHost>
                                <facility>USER</facility>
                                <port>514</port>
                                <suffixPattern>[%thread] %logger %msg</suffixPattern>
                            </appender>
        
                            <!-- Enable audit logging and direct it to its own separate appender if it is enabled -->
                            <logger name="bitbucket.audit-log" level="DEBUG" additivity="true">
                                <appender-ref ref="bitbucket.auditlog"/>
                                <appender-ref ref="SYSLOG"/>
                           </logger>
                        </then>
                    </if>
        
      • From there legacy audit logging needed to be enabled by adding the following to the $BITBUCKET_HOME/shared/bitbucket.properties file:
        audit.legacy.log=true
        
      • From here I can see the audit logging written to SYSLOG during startup:
        Apr 29 13:33:44 vagrant [audit-broker-consumer-thread-707705260] bitbucket.audit-log - | Plugin enabled | System | 1619703186185 | com.atlassian.prettyurls.atlassian-pretty-urls-plugin | - | - | -
        Apr 29 13:33:44 vagrant [audit-broker-consumer-thread-707705260] bitbucket.audit-log - | Plugin enabled | System | 1619703186192 | com.atlassian.soy.soy-template-plugin | - | - | -
        Apr 29 13:33:44 vagrant [audit-broker-consumer-thread-707705260] bitbucket.audit-log - | Plugin enabled | System | 1619703186200 | com.atlassian.stash.plugins.stash-remote-event-bitbucket-server-spi | - | - | -
        Apr 29 13:33:44 vagrant [audit-broker-consumer-thread-707705260] bitbucket.audit-log - | Plugin enabled | System | 1619703186244 | com.atlassian.troubleshooting.plugin-bitbucket | - | - | -
        Apr 29 13:33:44 vagrant [audit-broker-consumer-thread-707705260] bitbucket.audit-log - | Plugin enabled | System | 1619703186251 | com.atlassian.webhooks.atlassian-webhooks-plugin | - | - | -
        Apr 29 13:33:44 vagrant [audit-broker-consumer-thread-707705260] bitbucket.audit-log - | Plugin enabled | System | 1619703186252 | com.springsource.net.jcip.annotations-1.0.0 | - | - | -
        Apr 29 13:33:44 vagrant [audit-broker-consumer-thread-707705260] bitbucket.audit-log - | Plugin enabled | System | 1619703186259 | tac.bitbucket.languages.de_DE | - | - | -
        Apr 29 13:33:44 vagrant [audit-broker-consumer-thread-707705260] bitbucket.audit-log - | Plugin enabled | System | 1619703186269 | tac.bitbucket.languages.fr_FR | - | - | -
        Apr 29 13:33:44 vagrant [audit-broker-consumer-thread-707705260] bitbucket.audit-log - | Plugin enabled | System | 1619703186286 | tac.bitbucket.languages.ja_JP | - | - | -
        Apr 29 13:35:16 vagrant systemd-networkd[1591]: eth1: DHCP: No routes received from DHCP server: No data available
        
      • As well as when I perform an operation in the BASE audit scope like creating or deleting a user:
        Apr 29 13:42:28 vagrant [audit-broker-consumer-thread-707705260] bitbucket.audit-log 172.28.128.1 | User deleted | nhansberry | 1619703748024 | test | - | - | -
        

      If this all relies on enabling legacy audit logging, this configuration will not work when legacy audit logging is deprecated in Bitbucket version 8 (see: https://confluence.atlassian.com/bitbucketserver/configuration-properties-776640155.html#Configurationproperties-Audit for deprecation notice)

      Proposed Solution

      • Implement a way to keep this functionality even after legacy audit logging is deprecated

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            nhansberry Nate Hansberry
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:

                Backbone Issue Sync

                • Backbone Issue Sync is enabled for your project, but there is no synchronization info for this issue.