System changes in Jira Datacenter Audit log are shown as 'Unknown' instead of 'System' affecting Splunk integration

XMLWordPrintable

    • 8.13
    • 6
    • Severity 3 - Minor
    • 0

      Issue Summary

      When customers are integrating Jira Datacenter with Splunk for viewing audit logs as per View the audit log. In general, we have the below events:

      Information for each event may include:

      • Source - IP address of the user who performed the action (though not recorded for system-generated events). Can also show the node IP address.
      • Node ID - unique ID of the node where the action was performed.
      • Method - depending on how the action was performed, will be either Browser (end user) or System (system process).

      Value for event Method (triggered because of System change) in the Jira Datacenter Audit log is shown as "method":"Unknown" instead of "method":"System" for e.g. Upgrade finished

      Steps to Reproduce

      1. In a local Jira Datacenter, perform a test upgrade
      2. Check the Audit log (⚙️ → System → Audit Log) for 'Upgrade finished'
      3. Value is shown as "method":"Unknown" instead of "method":"System"
      4. Splunk will not be able to recognize this JSON value under $Jira_home/log/audit 
        {"affectedObjects":[{"name":"unspecified","type":"UNSPECIFIED"}],"auditType":{"action":"Upgrade finished","actionI18nKey":"jira.auditing.upgrade.finished","area":"GLOBAL_CONFIG_AND_ADMINISTRATION","category":"system","categoryI18nKey":"jira.auditing.category.system","level":"BASE"},"author":{"id":"-1","name":"System","type":"system"},"changedValues":[{"from":"813004","i18nKey":"Build Number","key":"Build Number","to":"813009"},{"from":"8.13.4","i18nKey":"Version","key":"Version","to":"8.13.9"}],"extraAttributes":[{"name":"Description","nameI18nKey":"jira.auditing.extra.parameters.event.description","value":"Upgrade tasks have completed, Jira has been removed from upgrade mode, and the upgrade has completed successfully."}],"method":"Unknown","node":"xxx","system":"http://xxxx","timestamp":{"epochSecond":1628587388,"nano":920000000},"version":"1.0"}

        Adding to that, a few actions like deleting project are shown as "method":"Task" and not mentioned in our official documentation Auditing in Jira

      Expected Results

      Value for event Method (triggered because of System change) in the Jira Datacenter Audit log is should be shown as "method":"System" instead of "method":"Unknown"

      Actual Results

      Value for event Method (triggered because of System change) in the Jira Datacenter Audit log is shown as "method":"Unknown" instead of "method":"System"

      Workaround

      At the moment the workaround is to use events "method":"Browser", "method":"Task" in Splunk

        1. image-2022-02-03-21-20-29-176.png
          721 kB
          Sriteja Kattamuru
        2. image-2022-02-03-21-28-55-863.png
          829 kB
          Sriteja Kattamuru

            Assignee:
            Unassigned
            Reporter:
            Sriteja Kattamuru (Inactive)
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: