Sidehistorik
...
This ways has Pros and Cons - read Access Logging in Confluence. On Pro is that the POST to Splunk in in the backend; so we dont need to open for the receiving system in the FirewallIn
We do POST a json like this to Elasticsearch at URL http://elkserver1:9200/webaccess/pageevent/
This will create an index named "webacecss" and give out data the type "pageevent" this working sample, we will post to a Splunk HTTP Event Collector - after setup and getting the Splunk Key, the collector need a POST like this:
Kodeblok |
---|
{ "timetimestamp": 1426279439, "hostevent-type": "localhostPageView", "sourcespace-key": "datasourceIT", "sourcetypeconfluence-page-title": "txtAtlassian Home", "indexconfluence-page-id": "main199002", "eventusername": { "hello": "world" }bnp" } |
We do eliminate the "Time" field, as the POST is instantly from the Confluence server.
To achive this, we have setup a Script Event Handler:
this the executes this script for every PageViewEvent:
Kodeblok | ||
---|---|---|
| ||
import com.atlassian.confluence.user.AuthenticatedUserThreadLocal import com.atlassian.confluence.user.*; import java.net.URL; import java.net.URLEncoder; import java.net.MalformedURLException; import java.io.UnsupportedEncodingException; import com.atlassian.confluence.pages.Page import com.atlassian.confluence.pages.PageManager import com.atlassian.confluence.spaces.Space import com.atlassian.confluence.spaces.SpaceManager import com.atlassian.sal.api.component.ComponentLocator import com.atlassian.confluence.event.events.content.page.* def spaceManager = ComponentLocator.getComponent(SpaceManager) def pageManager = ComponentLocator.getComponent(PageManager) String userName="Anonymous" def currentUser = AuthenticatedUserThreadLocal.get() if (currentUser) { userName=(String)currentUser.name } def event = event as PageEvent String eventType=(String)event.toString() eventType=eventType.replaceAll("com.atlassian.confluence.event.events.content.page.","") eventType=eventType.substring(0, eventType.indexOf('@')) eventType=eventType.replaceAll("Event","") // keys to create unique nodes for counters // https://docs.atlassian.com/confluence/5.9.7/com/atlassian/confluence/pages/Page.html String spaceKey = event.page.getSpace().getKey() String pageId = event.page.getIdAsString() String pageName = event.page.getTitle() def requestMethod = "GET"; def URLParam = [] def baseURL = "http://elkserver1:9200/webaccess/pageevent/" def url = new java.net.URL(baseURL); URLConnection connection = url.openConnection(); connection.setRequestMethod(requestMethod); connection.doOutput = true connection.setUseCaches(false); connection.setRequestProperty("Content-Type", "application/json;charset=UTF-8"); def dateTime = new Date() String jSon= "{" jSon = jSon + "\"timestamp\":\"" + dateTime.toString() + "\"," jSon = jSon + "\"event-type\":\"" + eventType + "\"," jSon = jSon + "\"space-key\":\"" + spaceKey + "\"," jSon = jSon + "\"confluence-page-title\":\"" + pageName + "\"," jSon = jSon + "\"confluence-page-id\":\"" + pageId + "\"," jSon = jSon + "\"username\":\"" + userName + "\"" jSon = jSon + "}" def writer = new OutputStreamWriter(connection.outputStream) writer.write(jSon) writer.flush() writer.close() connection.connect(); try { connection.getContent() } catch (all) { } String Status=connection.getResponseCode() String Message=connection.getResponseMessage() |
Giving us results to work on in Splunk (Where we already has created the index needed):
Advarsel |
---|
Currently I can search the data in Elasticsearch, due to a problem with the timestam and mapping. It seems the Timestam is not searchable/aggregatable ... a Mapping issue |
Kodeblok |
PUT webacess { "mappings": { "pageevent": { "properties": { "timestamp": { "type": "date" } } } } } |