-
Type:
Bug
-
Resolution: Unresolved
-
Priority:
Low
-
None
-
Affects Version/s: 8.13.9, 8.21.0
-
Component/s: System Administration - Audit Logs
-
8.13
-
6
-
Severity 3 - Minor
-
0
Issue Summary
When customers are integrating Jira Datacenter with Splunk for viewing audit logs as per View the audit log. In general, we have the below events:
Information for each event may include:
- Source - IP address of the user who performed the action (though not recorded for system-generated events). Can also show the node IP address.
- Node ID - unique ID of the node where the action was performed.
- Method - depending on how the action was performed, will be either Browser (end user) or System (system process).
Value for event Method (triggered because of System change) in the Jira Datacenter Audit log is shown as "method":"Unknown" instead of "method":"System" for e.g. Upgrade finished
Steps to Reproduce
- In a local Jira Datacenter, perform a test upgrade
- Check the Audit log (⚙️ → System → Audit Log) for 'Upgrade finished'
- Value is shown as "method":"Unknown" instead of "method":"System"
- Splunk will not be able to recognize this JSON value under $Jira_home/log/audit
{"affectedObjects":[{"name":"unspecified","type":"UNSPECIFIED"}],"auditType":{"action":"Upgrade finished","actionI18nKey":"jira.auditing.upgrade.finished","area":"GLOBAL_CONFIG_AND_ADMINISTRATION","category":"system","categoryI18nKey":"jira.auditing.category.system","level":"BASE"},"author":{"id":"-1","name":"System","type":"system"},"changedValues":[{"from":"813004","i18nKey":"Build Number","key":"Build Number","to":"813009"},{"from":"8.13.4","i18nKey":"Version","key":"Version","to":"8.13.9"}],"extraAttributes":[{"name":"Description","nameI18nKey":"jira.auditing.extra.parameters.event.description","value":"Upgrade tasks have completed, Jira has been removed from upgrade mode, and the upgrade has completed successfully."}],"method":"Unknown","node":"xxx","system":"http://xxxx","timestamp":{"epochSecond":1628587388,"nano":920000000},"version":"1.0"}
Adding to that, a few actions like deleting project are shown as "method":"Task" and not mentioned in our official documentation Auditing in Jira
Expected Results
Value for event Method (triggered because of System change) in the Jira Datacenter Audit log is should be shown as "method":"System" instead of "method":"Unknown"
Actual Results
Value for event Method (triggered because of System change) in the Jira Datacenter Audit log is shown as "method":"Unknown" instead of "method":"System"
Workaround
At the moment the workaround is to use events "method":"Browser", "method":"Task" in Splunk
