Version: 7.x-45.0.0
This is an older version of Search Guard. Switch to Latest version
Enterprise

Audit Log Field Reference

Common Attributes

The following attributes are logged for all event categores, independent of the layer.

Name Description
audit_format_version Audit log message format version, current: 3
@timestamp UTC timestamp when the event was generated
audit_category Audit log category, one of FAILED_LOGIN, MISSING_PRIVILEGES, BAD_HEADERS, SSL_EXCEPTION, SG_INDEX_ATTEMPT, AUTHENTICATED or GRANTED_PRIVILEGES.
audit_node_id The ID of the node where the event was generated.
audit_node_name The name of the node where the event was generated.
audit_node_host_address The host address of the node where the event was generated.
audit_node_host_name The host address of the node where the event was generated.
audit_request_layer The layer on which the event has been generated. One if TRANSPORT or REST.
audit_request_origin The layer from which the event originated. One if TRANSPORT or REST.
audit_request_effective_user_is_admin true if the request was made wit an TLS admin certificate, false otherwise.
audit_request_remote_address The IP this request originated from.

REST FAILED_LOGIN attributes

Name Description
audit_request_effective_user The username that failed authentication.
audit_rest_request_path The REST endpoint URI
audit_rest_request_params The HTTP request parameters, if any. Optional.
audit_rest_request_headers The HTTP headers, if any. Optional.
audit_request_initiating_user The user that initiated the request. Only logged if it differs from the effective user, for example when using impersonation. Optional.
audit_request_body The HTTP body, if any and if request body logging is enabled. Optional.

REST AUTHENTICATED attributes

Name Description
audit_request_effective_user The username / principal that failed authentication.
audit_request_initiating_user The user that initiated the request. Only logged if it differs from the effective user, for example when using impersonation. Optional.
audit_rest_request_path The REST endpoint URI
audit_rest_request_params The HTTP request parameters, if any. Optional.
audit_rest_request_headers The HTTP headers, if any. Optional.
audit_request_body The HTTP body, if any and if request body logging is enabled. Optional.

REST SSL_EXCEPTION attributes

Name Description
audit_request_exception_stacktrace The stacktrace of the SSL Exception

REST BAD_HEADERS attributes

Name Description
audit_rest_request_path The REST endpoint URI
audit_rest_request_params The HTTP request parameters, if any. Optional.
audit_rest_request_headers The HTTP headers, if any. Optional.
audit_request_body The HTTP body, if any and if request body logging is enabled. Optional.

REST BLOCKED_USER attributes

Name Description
audit_request_effective_user The username that was being blocked.
audit_rest_request_path The REST endpoint URI
audit_rest_request_params The HTTP request parameters, if any. Optional.
audit_rest_request_headers The HTTP headers, if any. Optional.
audit_request_body The HTTP body, if any and if request body logging is enabled. Optional.

REST BLOCKED_IP attributes

Name Description
audit_rest_request_path The REST endpoint URI
audit_rest_request_params The HTTP request parameters, if any. Optional.
audit_rest_request_headers The HTTP headers, if any. Optional.
audit_request_remote_address The IP that was being blocked.

Transport FAILED_LOGIN attributes

Name Description
audit_trace_task_id The ID of this request
audit_transport_headers The headers of the request, if any. Optional.
audit_request_effective_user The username / principal that failed authentication.
audit_request_initiating_user The user that initiated the request. Only logged if it differs from the effective user, for example when using impersonation. Optional.
audit_transport_request_type The type of request, e.g. IndexRequest, SearchRequest
audit_request_body The body / source, if any and if request body logging is enabled. Optional.
audit_trace_indices The index name(s) as contained in the request. Can contain wildcards, date patterns and aliases. Only logged if resolve_indices is true. Optional.
audit_trace_resolved_indices The resolved, concrete index name(s) affected by this request. Only logged if resolve_indices is true. Optional.
audit_trace_doc_types The document types affecated by this request. Only logged if resolve_indices is true. Optional.

Transport AUTHENTICATED attributes

Name Description
audit_trace_task_id The ID of this request
audit_transport_headers The headers of the request, if any. Optional.
audit_request_effective_user The username / principal that failed authentication.
audit_request_initiating_user The user that initiated the request. Only logged if it differs from the effective user, for example when using impersonation. Optional.
audit_transport_request_type The type of request, e.g. IndexRequest, SearchRequest
audit_request_body The body / source, if any and if request body logging is enabled. Optional.
audit_trace_indices The index name(s) as contained in the request. Can contain wildcards, date patterns and aliases. Only logged if resolve_indices is true. Optional.
audit_trace_resolved_indices The resolved, concrete index name(s) affected by this request. Only logged if resolve_indices is true. Optional.
audit_trace_doc_types The document types affecated by this request. Only logged if resolve_indices is true. Optional.

Transport MISSING_PRIVILEGES attributes

Name Description
audit_trace_task_id The ID of this request
audit_trace_task_parent_id The parent ID of this request, if any. Optional.
audit_transport_headers The headers of the request, if any. Optional.
audit_request_effective_user The username / principal that failed authentication.
audit_request_initiating_user The user that initiated the request. Only logged if it differs from the effective user, for example when using impersonation. Optional.
audit_transport_request_type The type of request, e.g. IndexRequest, SearchRequest
audit_request_privilege The required privilege of the request, e.g. indices:data/read/search
audit_request_body The body / source, if any and if request body logging is enabled. Optional.
audit_trace_indices The index name(s) as contained in the request. Can contain wildcards, date patterns and aliases. Only logged if resolve_indices is true. Optional.
audit_trace_resolved_indices The resolved, concrete index name(s) affected by this request. Only logged if resolve_indices is true. Optional.
audit_trace_doc_types The document types affecated by this request. Only logged if resolve_indices is true. Optional.

Transport GRANTED_PRIVILEGES attributes

Name Description
audit_trace_task_id The ID of this request
audit_trace_task_parent_id The parent ID of this request, if any. Optional.
audit_transport_headers The headers of the request, if any. Optional.
audit_request_effective_user The username / principal that failed authentication.
audit_request_initiating_user The user that initiated the request. Only logged if it differs from the effective user, for example when using impersonation. Optional.
audit_transport_request_type The type of request, e.g. IndexRequest, SearchRequest
audit_request_privilege The required privilege of the request, e.g. indices:data/read/search
audit_request_body The body / source, if any and if request body logging is enabled. Optional.
audit_trace_indices The index name(s) as contained in the request. Can contain wildcards, date patterns and aliases. Only logged if resolve_indices is true. Optional.
audit_trace_resolved_indices The resolved, concrete index name(s) affected by this request. Only logged if resolve_indices is true. Optional.
audit_trace_doc_types The document types affecated by this request. Only logged if resolve_indices is true. Optional.

Transport SSL_EXCEPTION attributes

Name Description
audit_request_exception_stacktrace The stacktrace of the SSL Exception

Transport BAD_HEADERS attributes

Name Description
audit_trace_task_id The ID of this request
audit_trace_task_parent_id The parent ID of this request, if any. Optional.
audit_transport_headers The headers of the request, if any. Optional.
audit_request_effective_user The username / principal that failed authentication.
audit_request_initiating_user The user that initiated the request. Only logged if it differs from the effective user, for example when using impersonation. Optional.
audit_transport_request_type The type of request, e.g. IndexRequest, SearchRequest
audit_request_body The body / source, if any and if request body logging is enabled. Optional.
audit_trace_indices The index name(s) as contained in the request. Can contain wildcards, date patterns and aliases. Only logged if resolve_indices is true. Optional.
audit_trace_resolved_indices The resolved, concrete index name(s) affected by this request. Only logged if resolve_indices is true. Optional.
audit_trace_doc_types The document types affecated by this request. Only logged if resolve_indices is true. Optional.

Transport BLOCKED_USER attributes

Name Description
audit_trace_task_id The ID of this request
audit_transport_headers The headers of the request, if any. Optional.
audit_request_effective_user The username / principal was being blocked.
audit_transport_request_type The type of request, e.g. IndexRequest, SearchRequest
audit_request_body The body / source, if any and if request body logging is enabled. Optional.
audit_trace_indices The index name(s) as contained in the request. Can contain wildcards, date patterns and aliases. Only logged if resolve_indices is true. Optional.
audit_trace_resolved_indices The resolved, concrete index name(s) affected by this request. Only logged if resolve_indices is true. Optional.
audit_trace_doc_types The document types affecated by this request. Only logged if resolve_indices is true. Optional.

Transport BLOCKED_IP attributes

Name Description
audit_request_remote_address The IP that was being blocked.
audit_trace_task_id The ID of this request
audit_trace_task_parent_id The parent ID of this request, if any. Optional.
audit_transport_headers The headers of the request, if any. Optional.
audit_transport_request_type The type of request, e.g. IndexRequest, SearchRequest
audit_request_body The body / source, if any and if request body logging is enabled. Optional.
audit_trace_indices The index name(s) as contained in the request. Can contain wildcards, date patterns and aliases. Only logged if resolve_indices is true. Optional.
audit_trace_resolved_indices The resolved, concrete index name(s) affected by this request. Only logged if resolve_indices is true. Optional.
audit_trace_doc_types The document types affecated by this request. Only logged if resolve_indices is true. Optional.

Transport SG_INDEX_ATTEMPT attributes

Name Description
audit_trace_task_id The ID of this request
audit_transport_headers The headers of the request, if any. Optional.
audit_request_effective_user The username / principal that failed authentication.
audit_request_initiating_user The user that initiated the request. Only logged if it differs from the effective user, for example when using impersonation. Optional.
audit_transport_request_type The type of request, e.g. IndexRequest, SearchRequest
audit_request_body The body / source, if any and if request body logging is enabled. Optional.
audit_trace_indices The index name(s) as contained in the request. Can contain wildcards, date patterns and aliases. Only logged if resolve_indices is true. Optional.
audit_trace_resolved_indices The resolved, concrete index name(s) affected by this request. Only logged if resolve_indices is true. Optional.
audit_trace_doc_types The document types affecated by this request. Only logged if resolve_indices is true. Optional.


Not what you were looking for? Try the search.