A possible way to Log User / Page Access in Confluence is via the Event system - using Adaptavist's Scriptrunner for Confluence.
This ways has Pros and Cons - read Access Logging in Confluence. On Pro is that the POST to Splunk in in the backend; so we dont need to open for the receiving system in the Firewall
In this working sample, we will post to a Splunk HTTP Event Collector - after setup and getting the Splunk Key, the collector need a POST like this:
{ "time": 1426279439, "host": "localhost", "source": "datasource", "sourcetype": "txt", "index": "main", "event": { "hello": "world" } }
We do eliminate the "Time" field, as the POST is instantly from the Confluence server.
To achive this, we have setup a Script Event Handler:
the executes this script for every PageViewEvent:
import com.atlassian.confluence.user.AuthenticatedUserThreadLocal import com.atlassian.confluence.user.*; import java.net.URL; import java.net.URLEncoder; import java.net.MalformedURLException; import java.io.UnsupportedEncodingException; import com.atlassian.confluence.pages.Page import com.atlassian.confluence.pages.PageManager import com.atlassian.confluence.spaces.Space import com.atlassian.confluence.spaces.SpaceManager import com.atlassian.sal.api.component.ComponentLocator import com.atlassian.confluence.event.events.content.page.* System.out.println("Start post2splunk.groovy") def spaceManager = ComponentLocator.getComponent(SpaceManager) def pageManager = ComponentLocator.getComponent(PageManager) String userName="Anonymous" def currentUser = AuthenticatedUserThreadLocal.get() if (currentUser) { userName=(String)currentUser.name } def event = event as PageEvent String eventType=(String)event.toString() eventType=eventType.replaceAll("com.atlassian.confluence.event.events.content.page.","") eventType=eventType.substring(0, eventType.indexOf('@')) eventType=eventType.replaceAll("Event","") // keys to create unique nodes for counters // https://docs.atlassian.com/confluence/5.9.7/com/atlassian/confluence/pages/Page.html String spaceKey = event.page.getSpace().getKey() String pageId = event.page.getIdAsString() String pageName = event.page.getTitle() def requestMethod = "GET"; def URLParam = [] def baseURL = "http://77.243.52.151:8088/services/collector" def url = new java.net.URL(baseURL); URLConnection connection = url.openConnection(); connection.setRequestMethod(requestMethod); connection.doOutput = true connection.setUseCaches(false); connection.setRequestProperty("Content-Type", "application/json;charset=UTF-8"); connection.setRequestProperty('Authorization', 'Splunk XXXXXXX-XXXX-4D74-BB9E-64E3B3730D8E'); String jSon= "{\"host\": \"moserver\",\"source\": \"webaccess\",\"sourcetype\": \"webaccess\",\"index\": \"webaccess\",\"event\":{" jSon = jSon + "\"event-type\":\"" + eventType + "\"," jSon = jSon + "\"space-key\":\"" + spaceKey + "\"," jSon = jSon + "\"confluence-page-title\":\"" + pageName + "\"," jSon = jSon + "\"confluence-page-id\":\"" + pageId + "\"," jSon = jSon + "\"username\":\"" + userName + "\"" jSon = jSon + "}}" def writer = new OutputStreamWriter(connection.outputStream) writer.write(jSon) writer.flush() writer.close() connection.connect(); try { connection.getContent() } catch (all) { } String Status=connection.getResponseCode() String Message=connection.getResponseMessage()
Giving us results to work on in Splunk (Where we already has created the index needed):