Splunk ingest on-prem Jira audit logs

_joe · ‎05-09-2022

Hello all,

I need to ingest audit logs from Atlassian Jira, Confluence, and Bitbucket. Most of that is pretty straight forward, but I am finding the Jira audit logs (atlassian-jira.log and atlassian-servicedesk.log) seem very random (sometimes fields are missing, occasionally a field will be long with multiple words and spaces with no fields or brackets).

Are there any TAs that can assist with parsing for on-prem Jira audit logs (atlassian-jira.log and atlassian-servicedesk.log)? Or any Splunk guidance I can give the Jira admin to help make logging better. So far they have told me they don't want to update their log4j properties files because it will just get overridden the next time they upgrade.

richgalloway · ‎05-09-2022

Have you looked on splunkbase? Try https://splunkbase.splunk.com/app/4958/

---
If this reply helps you, Karma would be appreciated.

_joe · ‎05-09-2022

Thanks for your comment.

I have looked at that TA, but the props/transforms doesn't seem to have anything that could handle the logs I had mentioned..

It has line breaking (which matches) and very limited parsing for "extract_jira_issue" which just collects <key>:<value> (a pattern I am only seeing in about 25% of the "thread" fields), practically nothing else from a props/transforms standpoint.

richgalloway · ‎05-09-2022

You can try contacting the TA developer to see if a newer version is available that might help you. Another option is to use the TA as a guide for building your own add-on.

---
If this reply helps you, Karma would be appreciated.

Splunk ingest on-prem Jira audit logs

configuration

.conf23 Registration is Now Open!

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Unify Your SecOps with Splunk Mission Control