Collect Atlassian Confluence logs

Supported in:

Google secops SIEM

This document explains how to ingest Atlassian Confluence logs to Google Security Operations. The parser first attempts to extract fields from the raw log message using regular expressions (grok patterns) designed for Atlassian Confluence logs. If the grok parsing fails or the log is in JSON format, the code then attempts to parse the message as JSON. Finally, the extracted fields are mapped to the Google SecOps UDM schema and enriched with additional context.

Before you begin

Make sure you have the following prerequisites:

A Google SecOps instance
Atlassian Confluence Cloud account with audit log access OR Confluence Data Center/Server with administrative access
For AWS-based methods: Privileged access to AWS (S3, IAM, Lambda, EventBridge)
For Bindplane method: Windows 2016 or later or Linux host with systemd

Integration options overview

This guide provides two integration paths:

Option 1: Confluence Data Center/Server via BindPlane + Syslog
Option 2: Confluence Cloud Audit Logs via AWS Lambda + S3 (JSON format)

Choose the option that best fits your Confluence deployment type and infrastructure.

Option 1: Confluence Data Center/Server via Bindplane + Syslog

This option configures Confluence Data Center or Server to send logs via syslog to a Bindplane agent, which then forwards them to Google SecOps.

Get Google SecOps ingestion authentication file

Sign in to the Google SecOps console.
Go to SIEM Settings > Collection Agents.
Download the Ingestion Authentication File. Save the file securely on the system where Bindplane will be installed.

Get Google SecOps customer ID

Sign in to the Google SecOps console.
Go to SIEM Settings > Profile.
Copy and save the Customer ID from the Organization Details section.

Install the Bindplane agent

Install the Bindplane agent on your Windows or Linux operating system according to the following instructions.

Windows installation

Open the Command Prompt or PowerShell as an administrator.

Run the following command:

msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet

Linux installation

Open a terminal with root or sudo privileges.

Run the following command:

sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh

Additional installation resources

For additional installation options, consult this installation guide.

Configure the Bindplane agent to ingest Syslog and send to Google SecOps

Access the configuration file:
1. Locate the config.yaml file. Typically, it's in the /etc/bindplane-agent/ directory on Linux or in the installation directory on Windows.
2. Open the file using a text editor (for example, nano, vi, or Notepad).

Edit the config.yaml file as follows:

receivers:
  udplog:
    # Replace the port and IP address as required
    listen_address: "0.0.0.0:514"

exporters:
  chronicle/chronicle_w_labels:
    compression: gzip
    # Adjust the path to the credentials file you downloaded
    creds_file_path: '/path/to/ingestion-authentication-file.json'
    # Replace with your actual customer ID
    customer_id: YOUR_CUSTOMER_ID
    endpoint: malachiteingestion-pa.googleapis.com
    log_type: 'ATLASSIAN_CONFLUENCE'
    raw_log_field: body
    ingestion_labels:

service:
  pipelines:
    logs/confluence:
      receivers:
        - udplog
      exporters:
        - chronicle/chronicle_w_labels

Replace the port and IP address as required in your infrastructure.
Replace <YOUR_CUSTOMER_ID_HERE> with the actual customer ID.
Update /path/to/ingestion-authentication-file.json to the path where the authentication file was saved in the Get Google SecOps ingestion authentication file section.

Restart the Bindplane agent to apply the changes

To restart the Bindplane agent in Linux, run the following command:
```
sudo systemctl restart bindplane-agent
```
To restart the Bindplane agent in Windows, you can either use the Services console or enter the following command:
```
net stop BindPlaneAgent && net start BindPlaneAgent
```

Configure Syslog forwarding on Confluence Data Center/Server

Option A: Configure Log4j SyslogAppender (Recommended)

Sign in to your Confluence server via SSH or RDP.
Locate the Log4j configuration file:
- For Log4j2: <confluence-install>/confluence/WEB-INF/classes/log4j2.xml

Edit the configuration file to add a SyslogAppender:

<Configuration>
  <Appenders>
    <!-- Existing appenders -->

    <Syslog name="SyslogAppender" 
            host="BINDPLANE_AGENT_IP" 
            port="514" 
            protocol="UDP"
            facility="LOCAL0"
            format="RFC5424">
      <PatternLayout pattern="%d{ISO8601} %p [%t] [%c{1}] %m%n"/>
    </Syslog>
  </Appenders>

  <Loggers>
    <Root level="info">
      <AppenderRef ref="SyslogAppender"/>
      <!-- Other appender refs -->
    </Root>

    <!-- Audit logger -->
    <Logger name="com.atlassian.confluence.event.events.security.AuditEvent" level="info" additivity="false">
      <AppenderRef ref="SyslogAppender"/>
    </Logger>
  </Loggers>
</Configuration>

Replace BINDPLANE_AGENT_IP with the IP address of your BindPlane agent.

Restart Confluence to apply changes:
```
sudo systemctl restart confluence
```

Option B: Configure rsyslog to forward local log files

Configure Confluence to write logs to files (default behavior).

Install rsyslog if not present:

sudo apt-get install rsyslog  # Debian/Ubuntu
sudo yum install rsyslog      # RHEL/CentOS

Create rsyslog configuration file /etc/rsyslog.d/confluence.conf:

# Forward Confluence logs to BindPlane
$ModLoad imfile

# Application logs
$InputFileName /opt/atlassian/confluence/logs/atlassian-confluence.log
$InputFileTag confluence-app:
$InputFileStateFile stat-confluence-app
$InputFileSeverity info
$InputFileFacility local0
$InputRunFileMonitor

# Audit logs (JSON format in DC/Server)
$InputFileName /var/atlassian/application-data/confluence/log/audit/*.json
$InputFileTag confluence-audit:
$InputFileStateFile stat-confluence-audit
$InputFileSeverity info
$InputFileFacility local1
$InputRunFileMonitor

# Forward to BindPlane agent
*.* @@BINDPLANE_AGENT_IP:514

Replace BINDPLANE_AGENT_IP with the IP address of your Bindplane agent.
Adjust log file paths based on your Confluence installation:
- Application logs typically: <confluence-install>/logs/ or <local-home>/logs/
- Audit logs: <confluence-home>/log/audit/*.json

Restart rsyslog:
```
sudo systemctl restart rsyslog
```

Option 2: Confluence Cloud Audit Logs via AWS Lambda + S3

Collect Confluence Cloud API credentials

Sign in to your Atlassian account.
Go to https://id.atlassian.com/manage-profile/security/api-tokens.
Click Create API token.
Enter a label for the token (for example, Google Security Operations Integration).
Click Create.
Copy and save the API token securely.
Note your Confluence Cloud site URL (for example, https://yoursite.atlassian.net).
Note your Atlassian account email address (used for authentication).

Configure AWS S3 bucket and IAM for Google SecOps

Create Amazon S3 bucket following this user guide: Creating a bucket
Save bucket Name and Region for future reference (for example, confluence-audit-logs).
Create a User following this user guide: Creating an IAM user.
Select the created User.
Select Security credentials tab.
Click Create Access Key in section Access Keys.
Select Third-party service as Use case.
Click Next.
Optional: Add a description tag.
Click Create access key.
Click Download CSV file to save the Access Key and Secret Access Key for future reference.
Click Done.
Select Permissions tab.
Click Add permissions in section Permissions policies.
Select Add permissions.
Select Attach policies directly.
Search for AmazonS3FullAccess policy.
Select the policy.
Click Next.
Click Add permissions.

Configure the IAM policy and role for S3 uploads

In the AWS console, go to IAM > Policies > Create policy > JSON tab.

Enter the following policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowPutObjects",
      "Effect": "Allow",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::confluence-audit-logs/*"
    },
    {
      "Sid": "AllowGetStateObject",
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::confluence-audit-logs/confluence-audit/state.json"
    }
  ]
}

Replace confluence-audit-logs if you entered a different bucket name.

Click Next > Create policy.
Name the policy ConfluenceAuditToS3Policy.
Go to IAM > Roles > Create role > AWS service > Lambda.
Attach the newly created policy ConfluenceAuditToS3Policy.
Name the role ConfluenceAuditLambdaRole and click Create role.

Create the Lambda function

In the AWS Console, go to Lambda > Functions.
Click Create function > Author from scratch.
Provide the following configuration details:

Setting Value

Name ConfluenceAuditToS3

Runtime Python 3.13

Architecture x86_64

Execution role ConfluenceAuditLambdaRole

Setting	Value
Name	`ConfluenceAuditToS3`
Runtime	Python 3.13
Architecture	x86_64
Execution role	`ConfluenceAuditLambdaRole`

After the function is created, open the Code tab, delete the stub and enter the following the code:

import json
import os
import boto3
from datetime import datetime, timezone, timedelta
from urllib import request, parse, error
from base64 import b64encode

# Environment variables
S3_BUCKET = os.environ['S3_BUCKET']
S3_PREFIX = os.environ.get('S3_PREFIX', 'confluence-audit/')
STATE_KEY = os.environ.get('STATE_KEY', 'confluence-audit/state.json')
CONFLUENCE_URL = os.environ['CONFLUENCE_URL']  # e.g., https://yoursite.atlassian.net
CONFLUENCE_EMAIL = os.environ['CONFLUENCE_EMAIL']
CONFLUENCE_API_TOKEN = os.environ['CONFLUENCE_API_TOKEN']
MAX_RECORDS = int(os.environ.get('MAX_RECORDS', '1000'))

s3_client = boto3.client('s3')

def lambda_handler(event, context):
    """Fetch Confluence Cloud audit logs and write to S3."""

    # Read last execution state
    start_date = get_last_execution_time()
    end_date = datetime.now(timezone.utc)

    print(f"Fetching audit logs from {start_date} to {end_date}")

    # Fetch audit records
    records = fetch_audit_logs(start_date, end_date)

    if not records:
        print("No new audit records found.")
        save_state(end_date)
        return {'statusCode': 200, 'body': 'No new records'}

    # Write to S3
    timestamp = end_date.strftime('%Y%m%d_%H%M%S')
    object_key = f"{S3_PREFIX}audit_{timestamp}.json"

    s3_client.put_object(
        Bucket=S3_BUCKET,
        Key=object_key,
        Body='\n'.join(json.dumps(record) for record in records),
        ContentType='application/json'
    )

    print(f"Wrote {len(records)} records to s3://{S3_BUCKET}/{object_key}")

    # Update state
    save_state(end_date)

    return {
        'statusCode': 200,
        'body': f"Processed {len(records)} records"
    }

def get_last_execution_time():
    """Retrieve the last execution timestamp from S3 state file."""
    try:
        response = s3_client.get_object(Bucket=S3_BUCKET, Key=STATE_KEY)
        state = json.loads(response['Body'].read())
        return datetime.fromisoformat(state['last_execution'])
    except s3_client.exceptions.NoSuchKey:
        # First run: fetch logs from last 24 hours
        return datetime.now(timezone.utc) - timedelta(hours=24)
    except Exception as e:
        print(f"Error reading state: {e}")
        return datetime.now(timezone.utc) - timedelta(hours=24)

def save_state(execution_time):
    """Save the execution timestamp to S3 state file."""
    state = {'last_execution': execution_time.isoformat()}
    s3_client.put_object(
        Bucket=S3_BUCKET,
        Key=STATE_KEY,
        Body=json.dumps(state),
        ContentType='application/json'
    )

def fetch_audit_logs(start_date, end_date):
    """Fetch audit logs from Confluence Cloud REST API."""
    records = []
    start_param = int(start_date.timestamp() * 1000)  # milliseconds
    end_param = int(end_date.timestamp() * 1000)

    # Build authentication header
    auth_string = f"{CONFLUENCE_EMAIL}:{CONFLUENCE_API_TOKEN}"
    auth_bytes = auth_string.encode('ascii')
    auth_b64 = b64encode(auth_bytes).decode('ascii')

    headers = {
        'Authorization': f'Basic {auth_b64}',
        'Accept': 'application/json'
    }

    # Confluence Cloud Audit API endpoint
    url = f"{CONFLUENCE_URL}/wiki/rest/api/audit?startDate={start_param}&endDate={end_param}&limit=1000"

    try:
        req = request.Request(url, headers=headers)
        with request.urlopen(req) as response:
            data = json.loads(response.read())
            records = data.get('results', [])
            print(f"Retrieved {len(records)} audit records")
    except error.HTTPError as e:
        print(f"HTTP Error: {e.code} - {e.reason}")
        print(e.read().decode())
    except Exception as e:
        print(f"Error fetching audit logs: {e}")

    return records[:MAX_RECORDS]

Go to Configuration > Environment variables.
Click Edit > Add new environment variable.

Enter the following environment variables, replacing with your values.

Key	Example value
`S3_BUCKET`	`confluence-audit-logs`
`S3_PREFIX`	`confluence-audit/`
`STATE_KEY`	`confluence-audit/state.json`
`CONFLUENCE_URL`	`https://yoursite.atlassian.net`
`CONFLUENCE_EMAIL`	`your-email@example.com`
`CONFLUENCE_API_TOKEN`	`your-api-token-here`
`MAX_RECORDS`	`1000`

Select the Configuration tab.
In the General configuration panel click Edit.
Change Timeout to 5 minutes (300 seconds) and click Save.

Create an EventBridge schedule

Go to Amazon EventBridge > Scheduler > Create schedule.
Provide the following configuration details:
- Recurring schedule: Rate (1 hour).
- Target: Your Lambda function ConfluenceAuditToS3.
- Name: ConfluenceAuditToS3-1h.
Click Create schedule.

Optional: Create read-only IAM user & keys for Google SecOps

Go to AWS Console > IAM > Users.
Click Add users.
Provide the following configuration details:
- User: Enter secops-confluence-reader.
- Access type: Select Access key – Programmatic access.
Click Next.
Click Attach policies directly > Create policy.

In the JSON editor, enter the following policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:GetObject"],
      "Resource": "arn:aws:s3:::confluence-audit-logs/*"
    },
    {
      "Effect": "Allow",
      "Action": ["s3:ListBucket"],
      "Resource": "arn:aws:s3:::confluence-audit-logs"
    }
  ]
}

Set the name to secops-reader-policy.
Go to Create policy > search/select > Next > Add permissions.
Go to Security credentials > Access keys > Create access key.
Download the CSV (these values are entered into the feed).

Configure a feed in Google SecOps to ingest Confluence logs

Go to SIEM Settings > Feeds.
Click Add New Feed.
In the Feed name field, enter a name for the feed (for example, Confluence Cloud Audit Logs).
Select Amazon S3 V2 as the Source type.
Select Atlassian Confluence as the Log type.
Click Next.
Specify values for the following input parameters:
- S3 URI: s3://confluence-audit-logs/confluence-audit/
- Source deletion options: Select deletion option according to your preference.
- Maximum File Age: Include files modified in the last number of days. Default is 180 days.
- Access Key ID: User access key with access to the S3 bucket.
- Secret Access Key: User secret key with access to the S3 bucket.
- Asset namespace: The asset namespace.
- Ingestion labels: The label applied to the events from this feed.
Click Next.
Review your new feed configuration in the Finalize screen, and then click Submit.

UDM Mapping Table

Log Field	UDM Mapping	Logic
agent	read_only_udm.network.http.user_agent	Value taken from "agent" field.
app_protocol	read_only_udm.network.application_protocol	Derived from "app_protocol" field. If "app_protocol" contains "HTTPS", "HTTP", "SSH", or "RDP", the corresponding protocol is used. Otherwise, it defaults to "UNKNOWN_APPLICATION_PROTOCOL".
app_protocol	read_only_udm.network.application_protocol_version	Value taken from "app_protocol" field.
auditType.action	read_only_udm.security_result.action	Derived from "auditType.action" field. If "auditType.action" contains "successful", the value is set to "ALLOW". If it contains "restricted", the value is set to "BLOCK".
auditType.action	read_only_udm.security_result.summary	Value taken from "auditType.action" field when "auditType" is not empty and "auditType_area" is "SECURITY".
auditType.actionI18nKey	read_only_udm.metadata.product_event_type	Value taken from "auditType.actionI18nKey" field when "auditType" is not empty.
auditType.area	read_only_udm.security_result.detection_fields.value	Value taken from "auditType.area" field and assigned to the "value" field of a detection field with the "key" field set to "auditType area". This mapping is done when "auditType" is not empty.
auditType.category	read_only_udm.security_result.category_details	Value taken from "auditType.category" field when "auditType" is not empty.
auditType.categoryI18nKey	read_only_udm.security_result.detection_fields.value	Value taken from "auditType.categoryI18nKey" field and assigned to the "value" field of a detection field with the "key" field set to "auditType categoryI18nKey". This mapping is done when "auditType" is not empty.
auditType.level	read_only_udm.security_result.detection_fields.value	Value taken from "auditType.level" field and assigned to the "value" field of a detection field with the "key" field set to "auditType level". This mapping is done when "auditType" is not empty.
author.displayName	read_only_udm.principal.user.user_display_name	Value taken from "author.displayName" field.
author.externalCollaborator	read_only_udm.security_result.about.resource.attribute.labels.value	Value taken from "author.externalCollaborator" field and assigned to the "value" field of a label with the "key" field set to "externalCollaborator".
author.id	read_only_udm.principal.user.userid	Value taken from "author.id" field when "author.type" is "user" and "principal_user_present" is "false".
author.isExternalCollaborator	read_only_udm.security_result.about.resource.attribute.labels.value	Value taken from "author.isExternalCollaborator" field and assigned to the "value" field of a label with the "key" field set to "isExternalCollaborator".
author.name	read_only_udm.principal.user.user_display_name	Value taken from "author.name" field when "author.type" is "user" and "principal_user_present" is "false".
bytes_in	read_only_udm.network.received_bytes	Value taken from "bytes_in" field if it contains digits. Otherwise, it defaults to 0.
category	read_only_udm.security_result.category_details	Value taken from "category" field.
changedValues	read_only_udm.principal.resource.attribute.labels	Iterates through each element in "changedValues" and creates labels with keys like "changedValue[index][key]" and values from the corresponding values in the "changedValues" array.
creationDate	read_only_udm.metadata.event_timestamp	Value taken from "creationDate" field, parsed as either UNIX or UNIX_MS timestamp.
extraAttributes	read_only_udm.principal.resource.attribute.labels	Iterates through each element in "extraAttributes" and creates labels with keys based on "name" and "nameI18nKey" fields and values from the corresponding "value" field.
http_verb	read_only_udm.network.http.method	Value taken from "http_verb" field.
ip	read_only_udm.target.ip	Value taken from "ip" field.
principal_host	read_only_udm.principal.hostname	Value taken from "principal_host" field.
referral_url	read_only_udm.network.http.referral_url	Value taken from "referral_url" field.
remoteAddress	read_only_udm.principal.ip	Value taken from "remoteAddress" field, parsed as an IP address.
response_code	read_only_udm.network.http.response_code	Value taken from "response_code" field.
session_duration	read_only_udm.additional.fields.value.string_value	Value taken from "session_duration" field and assigned to the "string_value" field of a label with the "key" field set to "Session Duration".
source	read_only_udm.principal.ip	Value taken from "source" field, parsed as an IP address.
src_ip	read_only_udm.principal.ip	Value taken from "src_ip" field if "remoteAddress" is empty.
summary	read_only_udm.security_result.summary	Value taken from "summary" field.
sysAdmin	read_only_udm.security_result.about.resource.attribute.labels.value	Value taken from "sysAdmin" field and assigned to the "value" field of a label with the "key" field set to "sysAdmin".
superAdmin	read_only_udm.security_result.about.resource.attribute.labels.value	Value taken from "superAdmin" field and assigned to the "value" field of a label with the "key" field set to "superAdmin".
target_url	read_only_udm.target.url	Value taken from "target_url" field.
timestamp	read_only_udm.metadata.event_timestamp	Value taken from "timestamp" field, parsed as a date and time string.
user_id	read_only_udm.principal.user.userid	Value taken from "user_id" field.
	read_only_udm.metadata.event_type	This field's value is determined by a series of checks and defaults to "GENERIC_EVENT". It is set to specific values like "NETWORK_HTTP", "USER_UNCATEGORIZED", or "STATUS_UPDATE" based on the presence and content of other fields like "principal_host", "user_id", "has_principal", and "author.type".
	read_only_udm.metadata.vendor_name	Set to "ATLASSIAN".
	read_only_udm.metadata.product_name	Set to "CONFLUENCE".
	read_only_udm.metadata.log_type	Set to "ATLASSIAN_CONFLUENCE".
	read_only_udm.principal.user.user_display_name	This field's value can come from either "author.displayName" or "affectedObject.name" depending on the context.
	read_only_udm.target.process.pid	This field's value can come from either "principal_host" or "pid" depending on the context.
	read_only_udm.principal.resource.attribute.labels	This field is populated with various labels derived from fields like "affectedObjects", "changedValues", and "extraAttributes". The keys and values of these labels are dynamically generated based on the specific content of these fields.

Need more help? Get answers from Community members and Google SecOps professionals.