Collect Atlassian Confluence logs
Supported in:
This document explains how to ingest Atlassian Confluence logs to Google Security Operations. The parser first attempts to extract fields from the raw log message using regular expressions (grok patterns) designed for Atlassian Confluence logs. If the grok parsing fails or the log is in JSON format, the code then attempts to parse the message as JSON. Finally, the extracted fields are mapped to the Google SecOps UDM schema and enriched with additional context.
Before you begin
Make sure you have the following prerequisites:
- A Google SecOps instance
- Atlassian Confluence Cloud account with audit log access OR Confluence Data Center/Server with administrative access
- For AWS-based methods: Privileged access to AWS (S3, IAM, Lambda, EventBridge)
- For Bindplane method: Windows 2016 or later or Linux host with
systemd
Integration options overview
This guide provides two integration paths:
- Option 1: Confluence Data Center/Server via BindPlane + Syslog
- Option 2: Confluence Cloud Audit Logs via AWS Lambda + S3 (JSON format)
Choose the option that best fits your Confluence deployment type and infrastructure.
Option 1: Confluence Data Center/Server via Bindplane + Syslog
This option configures Confluence Data Center or Server to send logs via syslog to a Bindplane agent, which then forwards them to Google SecOps.
Get Google SecOps ingestion authentication file
- Sign in to the Google SecOps console.
- Go to SIEM Settings > Collection Agents.
- Download the Ingestion Authentication File. Save the file securely on the system where Bindplane will be installed.
Get Google SecOps customer ID
- Sign in to the Google SecOps console.
- Go to SIEM Settings > Profile.
- Copy and save the Customer IDfrom the Organization Detailssection.
Install the Bindplane agent
Install the Bindplane agent on your Windows or Linux operating system according to the following instructions.
Windows installation
- Open the Command Promptor PowerShellas an administrator.
-
Run the following command:
msiexec / i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" / quiet
Linux installation
- Open a terminal with root or sudo privileges.
-
Run the following command:
sudo sh -c " $( curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh ) " install_unix.sh
Additional installation resources
- For additional installation options, consult this installation guide .
Configure the Bindplane agent to ingest Syslog and send to Google SecOps
-
Access the configuration file:
- Locate the
config.yamlfile. Typically, it's in the/etc/bindplane-agent/directory on Linux or in the installation directory on Windows. - Open the file using a text editor (for example,
nano,vi, or Notepad).
- Locate the
-
Edit the
config.yamlfile as follows:receivers : udplog : # Replace the port and IP address as required listen_address : "0.0.0.0:514" exporters : chronicle/chronicle_w_labels : compression : gzip # Adjust the path to the credentials file you downloaded creds_file_path : '/path/to/ingestion-authentication-file.json' # Replace with your actual customer ID customer_id : YOUR_CUSTOMER_ID endpoint : malachiteingestion-pa.googleapis.com log_type : 'ATLASSIAN_CONFLUENCE' raw_log_field : body ingestion_labels : service : pipelines : logs/confluence : receivers : - udplog exporters : - chronicle/chronicle_w_labels- Replace the port and IP address as required in your infrastructure.
- Replace
<YOUR_CUSTOMER_ID_HERE>with the actual customer ID. - Update
/path/to/ingestion-authentication-file.jsonto the path where the authentication file was saved in the Get Google SecOps ingestion authentication file section.
Restart the Bindplane agent to apply the changes
-
To restart the Bindplane agent in Linux, run the following command:
sudo systemctl restart bindplane-agent -
To restart the Bindplane agent in Windows, you can either use the Servicesconsole or enter the following command:
net stop BindPlaneAgent && net start BindPlaneAgent
Configure Syslog forwarding on Confluence Data Center/Server
Option A: Configure Log4j SyslogAppender (Recommended)
- Sign in to your Confluence server via SSH or RDP.
- Locate the Log4j configuration file:
- For Log4j2:
<confluence-install>/confluence/WEB-INF/classes/log4j2.xml
- For Log4j2:
-
Edit the configuration file to add a SyslogAppender:
<Configuration> <Appenders> <!-- Existing appenders --> <Syslog name="SyslogAppender" host="BINDPLANE_AGENT_IP" port="514" protocol="UDP" facility="LOCAL0" format="RFC5424"> <PatternLayout pattern="%d{ISO8601} %p [%t] [%c{1}] %m%n"/> </Syslog> </Appenders> <Loggers> <Root level="info"> <AppenderRef ref="SyslogAppender"/> <!-- Other appender refs --> </Root> <!-- Audit logger --> <Logger name="com.atlassian.confluence.event.events.security.AuditEvent" level="info" additivity="false"> <AppenderRef ref="SyslogAppender"/> </Logger> </Loggers> </Configuration>- Replace
BINDPLANE_AGENT_IPwith the IP address of your BindPlane agent.
- Replace
-
Restart Confluence to apply changes:
sudo systemctl restart confluence
Option B: Configure rsyslog to forward local log files
- Configure Confluence to write logs to files (default behavior).
-
Install rsyslog if not present:
sudo apt-get install rsyslog # Debian/Ubuntu sudo yum install rsyslog # RHEL/CentOS -
Create rsyslog configuration file
/etc/rsyslog.d/confluence.conf:# Forward Confluence logs to BindPlane $ ModLoad imfile # Application logs $ InputFileName / opt / atlassian / confluence / logs / atlassian - confluence . log $ InputFileTag confluence - app : $ InputFileStateFile stat - confluence - app $ InputFileSeverity info $ InputFileFacility local0 $ InputRunFileMonitor # Audit logs (JSON format in DC/Server) $ InputFileName / var / atlassian / application - data / confluence / log / audit /*. json $ InputFileTag confluence - audit : $ InputFileStateFile stat - confluence - audit $ InputFileSeverity info $ InputFileFacility local1 $ InputRunFileMonitor # Forward to BindPlane agent *.* @@ BINDPLANE_AGENT_IP : 514- Replace
BINDPLANE_AGENT_IPwith the IP address of your Bindplane agent. - Adjust log file paths based on your Confluence installation:
- Application logs typically:
<confluence-install>/logs/or<local-home>/logs/ - Audit logs:
<confluence-home>/log/audit/*.json
- Application logs typically:
- Replace
-
Restart rsyslog:
sudo systemctl restart rsyslog
Option 2: Confluence Cloud Audit Logs via AWS Lambda + S3
Collect Confluence Cloud API credentials
- Sign in to your Atlassian account.
- Go to https://id.atlassian.com/manage-profile/security/api-tokens.
- Click Create API token.
- Enter a label for the token (for example,
Google Security Operations Integration). - Click Create.
- Copy and save the API token securely.
- Note your Confluence Cloud site URL (for example,
https://yoursite.atlassian.net). - Note your Atlassian account email address (used for authentication).
Configure AWS S3 bucket and IAM for Google SecOps
- Create Amazon S3 bucketfollowing this user guide: Creating a bucket
- Save bucket Nameand Regionfor future reference (for example,
confluence-audit-logs). - Create a Userfollowing this user guide: Creating an IAM user .
- Select the created User.
- Select Security credentialstab.
- Click Create Access Keyin section Access Keys.
- Select Third-party serviceas Use case.
- Click Next.
- Optional: Add a description tag.
- Click Create access key.
- Click Download CSV fileto save the Access Keyand Secret Access Keyfor future reference.
- Click Done.
- Select Permissionstab.
- Click Add permissionsin section Permissions policies.
- Select Add permissions.
- Select Attach policies directly.
- Search for AmazonS3FullAccesspolicy.
- Select the policy.
- Click Next.
- Click Add permissions.
Configure the IAM policy and role for S3 uploads
- In the AWS console, go to IAM > Policies > Create policy > JSON tab.
-
Enter the following policy:
{ "Version" : "2012-10-17" , "Statement" : [ { "Sid" : "AllowPutObjects" , "Effect" : "Allow" , "Action" : "s3:PutObject" , "Resource" : "arn:aws:s3:::confluence-audit-logs/*" }, { "Sid" : "AllowGetStateObject" , "Effect" : "Allow" , "Action" : "s3:GetObject" , "Resource" : "arn:aws:s3:::confluence-audit-logs/confluence-audit/state.json" } ] }- Replace
confluence-audit-logsif you entered a different bucket name.
- Replace
-
Click Next > Create policy.
-
Name the policy
ConfluenceAuditToS3Policy. -
Go to IAM > Roles > Create role > AWS service > Lambda.
-
Attach the newly created policy
ConfluenceAuditToS3Policy. -
Name the role
ConfluenceAuditLambdaRoleand click Create role.
Create the Lambda function
- In the AWS Console, go to Lambda > Functions.
- Click Create function > Author from scratch.
-
Provide the following configuration details:
Setting Value Name ConfluenceAuditToS3Runtime Python 3.13 Architecture x86_64 Execution role ConfluenceAuditLambdaRole -
After the function is created, open the Codetab, delete the stub and enter the following the code:
import json import os import boto3 from datetime import datetime , timezone , timedelta from urllib import request , parse , error from base64 import b64encode # Environment variables S3_BUCKET = os . environ [ 'S3_BUCKET' ] S3_PREFIX = os . environ . get ( 'S3_PREFIX' , 'confluence-audit/' ) STATE_KEY = os . environ . get ( 'STATE_KEY' , 'confluence-audit/state.json' ) CONFLUENCE_URL = os . environ [ 'CONFLUENCE_URL' ] # e.g., https://yoursite.atlassian.net CONFLUENCE_EMAIL = os . environ [ 'CONFLUENCE_EMAIL' ] CONFLUENCE_API_TOKEN = os . environ [ 'CONFLUENCE_API_TOKEN' ] MAX_RECORDS = int ( os . environ . get ( 'MAX_RECORDS' , '1000' )) s3_client = boto3 . client ( 's3' ) def lambda_handler ( event , context ): """Fetch Confluence Cloud audit logs and write to S3.""" # Read last execution state start_date = get_last_execution_time () end_date = datetime . now ( timezone . utc ) print ( f "Fetching audit logs from { start_date } to { end_date } " ) # Fetch audit records records = fetch_audit_logs ( start_date , end_date ) if not records : print ( "No new audit records found." ) save_state ( end_date ) return { 'statusCode' : 200 , 'body' : 'No new records' } # Write to S3 timestamp = end_date . strftime ( '%Y%m %d _%H%M%S' ) object_key = f " { S3_PREFIX } audit_ { timestamp } .json" s3_client . put_object ( Bucket = S3_BUCKET , Key = object_key , Body = ' \n ' . join ( json . dumps ( record ) for record in records ), ContentType = 'application/json' ) print ( f "Wrote { len ( records ) } records to s3:// { S3_BUCKET } / { object_key } " ) # Update state save_state ( end_date ) return { 'statusCode' : 200 , 'body' : f "Processed { len ( records ) } records" } def get_last_execution_time (): """Retrieve the last execution timestamp from S3 state file.""" try : response = s3_client . get_object ( Bucket = S3_BUCKET , Key = STATE_KEY ) state = json . loads ( response [ 'Body' ] . read ()) return datetime . fromisoformat ( state [ 'last_execution' ]) except s3_client . exceptions . NoSuchKey : # First run: fetch logs from last 24 hours return datetime . now ( timezone . utc ) - timedelta ( hours = 24 ) except Exception as e : print ( f "Error reading state: { e } " ) return datetime . now ( timezone . utc ) - timedelta ( hours = 24 ) def save_state ( execution_time ): """Save the execution timestamp to S3 state file.""" state = { 'last_execution' : execution_time . isoformat ()} s3_client . put_object ( Bucket = S3_BUCKET , Key = STATE_KEY , Body = json . dumps ( state ), ContentType = 'application/json' ) def fetch_audit_logs ( start_date , end_date ): """Fetch audit logs from Confluence Cloud REST API.""" records = [] start_param = int ( start_date . timestamp () * 1000 ) # milliseconds end_param = int ( end_date . timestamp () * 1000 ) # Build authentication header auth_string = f " { CONFLUENCE_EMAIL } : { CONFLUENCE_API_TOKEN } " auth_bytes = auth_string . encode ( 'ascii' ) auth_b64 = b64encode ( auth_bytes ) . decode ( 'ascii' ) headers = { 'Authorization' : f 'Basic { auth_b64 } ' , 'Accept' : 'application/json' } # Confluence Cloud Audit API endpoint url = f " { CONFLUENCE_URL } /wiki/rest/api/audit?startDate= { start_param } & endDate= { end_param } & limit=1000" try : req = request . Request ( url , headers = headers ) with request . urlopen ( req ) as response : data = json . loads ( response . read ()) records = data . get ( 'results' , []) print ( f "Retrieved { len ( records ) } audit records" ) except error . HTTPError as e : print ( f "HTTP Error: { e . code } - { e . reason } " ) print ( e . read () . decode ()) except Exception as e : print ( f "Error fetching audit logs: { e } " ) return records [: MAX_RECORDS ] -
Go to Configuration > Environment variables.
-
Click Edit > Add new environment variable.
-
Enter the following environment variables, replacing with your values.
Key Example value S3_BUCKETconfluence-audit-logsS3_PREFIXconfluence-audit/STATE_KEYconfluence-audit/state.jsonCONFLUENCE_URLhttps://yoursite.atlassian.netCONFLUENCE_EMAILyour-email@example.comCONFLUENCE_API_TOKENyour-api-token-hereMAX_RECORDS1000 -
Select the Configurationtab.
-
In the General configurationpanel click Edit.
-
Change Timeoutto 5 minutes (300 seconds)and click Save.
Create an EventBridge schedule
- Go to Amazon EventBridge > Scheduler > Create schedule.
- Provide the following configuration details:
- Recurring schedule: Rate(
1 hour). - Target: Your Lambda function
ConfluenceAuditToS3. - Name:
ConfluenceAuditToS3-1h.
- Recurring schedule: Rate(
- Click Create schedule.
Optional: Create read-only IAM user & keys for Google SecOps
- Go to AWS Console > IAM > Users.
- Click Add users.
- Provide the following configuration details:
- User: Enter
secops-confluence-reader. - Access type: Select Access key – Programmatic access.
- User: Enter
- Click Next.
- Click Attach policies directly > Create policy.
-
In the JSON editor, enter the following policy:
{ "Version" : "2012-10-17" , "Statement" : [ { "Effect" : "Allow" , "Action" : [ "s3:GetObject" ], "Resource" : "arn:aws:s3:::confluence-audit-logs/*" }, { "Effect" : "Allow" , "Action" : [ "s3:ListBucket" ], "Resource" : "arn:aws:s3:::confluence-audit-logs" } ] } -
Set the name to
secops-reader-policy. -
Go to Create policy > search/select > Next > Add permissions.
-
Go to Security credentials > Access keys > Create access key.
-
Download the CSV(these values are entered into the feed).
Configure a feed in Google SecOps to ingest Confluence logs
- Go to SIEM Settings > Feeds.
- Click Add New Feed.
- In the Feed namefield, enter a name for the feed (for example,
Confluence Cloud Audit Logs). - Select Amazon S3 V2as the Source type.
- Select Atlassian Confluenceas the Log type.
- Click Next.
- Specify values for the following input parameters:
- S3 URI:
s3://confluence-audit-logs/confluence-audit/ - Source deletion options: Select deletion option according to your preference.
- Maximum File Age: Include files modified in the last number of days. Default is 180 days.
- Access Key ID: User access key with access to the S3 bucket.
- Secret Access Key: User secret key with access to the S3 bucket.
- Asset namespace: The asset namespace .
- Ingestion labels: The label applied to the events from this feed.
- S3 URI:
- Click Next.
- Review your new feed configuration in the Finalizescreen, and then click Submit.
UDM Mapping Table
| Log Field | UDM Mapping | Logic |
|---|---|---|
|
agent
|
read_only_udm.network.http.user_agent | Value taken from "agent" field. |
|
app_protocol
|
read_only_udm.network.application_protocol | Derived from "app_protocol" field. If "app_protocol" contains "HTTPS", "HTTP", "SSH", or "RDP", the corresponding protocol is used. Otherwise, it defaults to "UNKNOWN_APPLICATION_PROTOCOL". |
|
app_protocol
|
read_only_udm.network.application_protocol_version | Value taken from "app_protocol" field. |
|
auditType.action
|
read_only_udm.security_result.action | Derived from "auditType.action" field. If "auditType.action" contains "successful", the value is set to "ALLOW". If it contains "restricted", the value is set to "BLOCK". |
|
auditType.action
|
read_only_udm.security_result.summary | Value taken from "auditType.action" field when "auditType" is not empty and "auditType_area" is "SECURITY". |
|
auditType.actionI18nKey
|
read_only_udm.metadata.product_event_type | Value taken from "auditType.actionI18nKey" field when "auditType" is not empty. |
|
auditType.area
|
read_only_udm.security_result.detection_fields.value | Value taken from "auditType.area" field and assigned to the "value" field of a detection field with the "key" field set to "auditType area". This mapping is done when "auditType" is not empty. |
|
auditType.category
|
read_only_udm.security_result.category_details | Value taken from "auditType.category" field when "auditType" is not empty. |
|
auditType.categoryI18nKey
|
read_only_udm.security_result.detection_fields.value | Value taken from "auditType.categoryI18nKey" field and assigned to the "value" field of a detection field with the "key" field set to "auditType categoryI18nKey". This mapping is done when "auditType" is not empty. |
|
auditType.level
|
read_only_udm.security_result.detection_fields.value | Value taken from "auditType.level" field and assigned to the "value" field of a detection field with the "key" field set to "auditType level". This mapping is done when "auditType" is not empty. |
|
author.displayName
|
read_only_udm.principal.user.user_display_name | Value taken from "author.displayName" field. |
|
author.externalCollaborator
|
read_only_udm.security_result.about.resource.attribute.labels.value | Value taken from "author.externalCollaborator" field and assigned to the "value" field of a label with the "key" field set to "externalCollaborator". |
|
author.id
|
read_only_udm.principal.user.userid | Value taken from "author.id" field when "author.type" is "user" and "principal_user_present" is "false". |
|
author.isExternalCollaborator
|
read_only_udm.security_result.about.resource.attribute.labels.value | Value taken from "author.isExternalCollaborator" field and assigned to the "value" field of a label with the "key" field set to "isExternalCollaborator". |
|
author.name
|
read_only_udm.principal.user.user_display_name | Value taken from "author.name" field when "author.type" is "user" and "principal_user_present" is "false". |
|
bytes_in
|
read_only_udm.network.received_bytes | Value taken from "bytes_in" field if it contains digits. Otherwise, it defaults to 0. |
|
category
|
read_only_udm.security_result.category_details | Value taken from "category" field. |
|
changedValues
|
read_only_udm.principal.resource.attribute.labels | Iterates through each element in "changedValues" and creates labels with keys like "changedValue [index] [key]" and values from the corresponding values in the "changedValues" array. |
|
creationDate
|
read_only_udm.metadata.event_timestamp | Value taken from "creationDate" field, parsed as either UNIX or UNIX_MS timestamp. |
|
extraAttributes
|
read_only_udm.principal.resource.attribute.labels | Iterates through each element in "extraAttributes" and creates labels with keys based on "name" and "nameI18nKey" fields and values from the corresponding "value" field. |
|
http_verb
|
read_only_udm.network.http.method | Value taken from "http_verb" field. |
|
ip
|
read_only_udm.target.ip | Value taken from "ip" field. |
|
principal_host
|
read_only_udm.principal.hostname | Value taken from "principal_host" field. |
|
referral_url
|
read_only_udm.network.http.referral_url | Value taken from "referral_url" field. |
|
remoteAddress
|
read_only_udm.principal.ip | Value taken from "remoteAddress" field, parsed as an IP address. |
|
response_code
|
read_only_udm.network.http.response_code | Value taken from "response_code" field. |
|
session_duration
|
read_only_udm.additional.fields.value.string_value | Value taken from "session_duration" field and assigned to the "string_value" field of a label with the "key" field set to "Session Duration". |
|
source
|
read_only_udm.principal.ip | Value taken from "source" field, parsed as an IP address. |
|
src_ip
|
read_only_udm.principal.ip | Value taken from "src_ip" field if "remoteAddress" is empty. |
|
summary
|
read_only_udm.security_result.summary | Value taken from "summary" field. |
|
sysAdmin
|
read_only_udm.security_result.about.resource.attribute.labels.value | Value taken from "sysAdmin" field and assigned to the "value" field of a label with the "key" field set to "sysAdmin". |
|
superAdmin
|
read_only_udm.security_result.about.resource.attribute.labels.value | Value taken from "superAdmin" field and assigned to the "value" field of a label with the "key" field set to "superAdmin". |
|
target_url
|
read_only_udm.target.url | Value taken from "target_url" field. |
|
timestamp
|
read_only_udm.metadata.event_timestamp | Value taken from "timestamp" field, parsed as a date and time string. |
|
user_id
|
read_only_udm.principal.user.userid | Value taken from "user_id" field. |
| |
read_only_udm.metadata.event_type | This field's value is determined by a series of checks and defaults to "GENERIC_EVENT". It is set to specific values like "NETWORK_HTTP", "USER_UNCATEGORIZED", or "STATUS_UPDATE" based on the presence and content of other fields like "principal_host", "user_id", "has_principal", and "author.type". |
| |
read_only_udm.metadata.vendor_name | Set to "ATLASSIAN". |
| |
read_only_udm.metadata.product_name | Set to "CONFLUENCE". |
| |
read_only_udm.metadata.log_type | Set to "ATLASSIAN_CONFLUENCE". |
| |
read_only_udm.principal.user.user_display_name | This field's value can come from either "author.displayName" or "affectedObject.name" depending on the context. |
| |
read_only_udm.target.process.pid | This field's value can come from either "principal_host" or "pid" depending on the context. |
| |
read_only_udm.principal.resource.attribute.labels | This field is populated with various labels derived from fields like "affectedObjects", "changedValues", and "extraAttributes". The keys and values of these labels are dynamically generated based on the specific content of these fields. |
Need more help? Get answers from Community members and Google SecOps professionals.
