Can I see from the Tomcat logs who has added or downloaded attachments from an issue?
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Environment
Jira Server
Jira Data Center
Question
If a user is adding or downloading an attachment to issue PROJECT-1234, can I monitor that by scanning the Tomcat access logs?
Answer
This is something you can not directly see from the Tomcat access log as that log contains the request URL only and not the payload.
There are two reasons for this:
The issue key is not included in the request in the URL nor in the payload. It is referring the issue's ID in the database. To connect this ID to a full issue's key, you would need to build some custom logic that does that for you.
When you upload an attachment it sends a HTTP POST request to /rest/jddap/1.0/attachment with the attachment details in the payload which is not logged in the Tomcat log (or anywhere else).
The upload payload in the POST request looks something like this. In this example the issue.id from the database is 10000:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
"id": 10000,
"latest": true,
"deletable": true,
"expandable": false,
"thumbnailUrl": "https://jira-instance.example.com/jira/secure/thumbnail/10000/_thumb_10000.png",
"thumbnailWidth": 200,
"thumbnailHeight": 200,
"attachmentUrl": "secure/attachment/10000/test-image.png",
"authorDisplayName": "admin",
"authorKey": "admin",
"fileSize": "1.36 MB",
"fileName": "test-image.png",
"mimeType": "image/png",
"createdIso8601": 1705595151822,
"createdDateTime": "18/Jan/24 4:25 PM",
"imageFileType": trueAs payloads are not logged by Tomcat you will not be able to extract who has added an attachment to an issue from it.
(You can log the contents with the RequestDumperValve in Tomcat, but that should only be used for debugging purposes as this logging will be very heavy. Running a Tomcat with the RequestDumperValve constantly on in a production environment is not supported.)
For downloads the ID is present in the request URL and is thus logged in the Tomcat access log and looks like this when the same attachment from the upload example above is used:
HTTP GET https:
//jira-instance.example.com/jira/secure/attachment/10000/test-image.png
But to tie that id to an actual issue key would again require that you build some custom logic that does that for you. This is not something that is present out of the box.
Also note that the same actions can be performed via the REST API, so to get a complete picture you need to check the access log for the attachment REST API endpoints as well. They are listed here: https://docs.atlassian.com/software/jira/docs/api/REST/8.20.11/#attachment
To find out more about how those file attachment IDs relate to the files on the file system, see the article
Locate Jira Data Center file attachments in the filesystem
.
If you need assistance with building the custom logic needed to accommodate your specific business needs, an Atlassian Partner can help you with that. You can find one at https://atlassian.com/partners.
Was this helpful?