We run Jira and Confluence in Docker containers and our security team would like us to better document user access in the access logs.
Currently it is pulling the defaults from Atlassian. The format Cyber would like is the following:
^[[nspaces:clientip]]\s++[[nspaces:ident]]\s++[[nspaces:user]]\s++[[sbstring:req_time]]\s++[[access-request]]\s++[[nspaces:status]]\s++[[nspaces:bytes]](?:\s++"(?<referer>[[bc_domain:referer_]]?+[^"]*+)"(?:\s++[[qstring:useragent]](?:\s++[[qstring:cookie]])?+)?+)?[[all:other]]
Trying the following in Confluence's server.xml:
%a %l %{X-AUSERNAME}o %I %h %r %s %Dms %b %{Referer}i %{User-Agent}i
and the following in Jira's server.xml:
"%a %{jira.request.id}r %{jira.request.username}r %t "%m %U%q %H" %s %b %D "%{Referer}i" "%{User-Agent}i" "%{jira.request.assession.id}r""
It is pulling the format we would like more or less. The issue I am getting currently it is pulling the IP of the apache proxy server not the IP of the user which is what we want.
Is there a setting either for Docker or the server.xml files that will pull the user ip address?
I am using settings from
https://confluence.atlassian.com/conf719/configure-access-logs-1157467716.html and
https://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Access_Log_Valve