Version: 7.x-47.0.0
Enterprise

Audit Log Field Reference

Common Attributes

The following attributes are logged for all event categores, independent of the layer.

Name Description
audit_format_version Audit log message format version, current: 3
@timestamp UTC timestamp when the event was generated
audit_category Audit log category, one of FAILED_LOGIN, MISSING_PRIVILEGES, BAD_HEADERS, SSL_EXCEPTION, SG_INDEX_ATTEMPT, AUTHENTICATED or GRANTED_PRIVILEGES.
audit_node_id The ID of the node where the event was generated.
audit_node_name The name of the node where the event was generated.
audit_node_host_address The host address of the node where the event was generated.
audit_node_host_name The host address of the node where the event was generated.
audit_request_layer The layer on which the event has been generated. One if TRANSPORT or REST.
audit_request_origin The layer from which the event originated. One if TRANSPORT or REST.
audit_request_effective_user_is_admin true if the request was made wit an TLS admin certificate, false otherwise.
audit_request_remote_address The IP this request originated from.

REST FAILED_LOGIN attributes

Name Description
audit_request_effective_user The username that failed authentication.
audit_rest_request_path The REST endpoint URI
audit_rest_request_params The HTTP request parameters, if any. Optional.
audit_rest_request_headers The HTTP headers, if any. Optional.
audit_request_initiating_user The user that initiated the request. Only logged if it differs from the effective user, for example when using impersonation. Optional.
audit_request_body The HTTP body, if any and if request body logging is enabled. Optional.

REST AUTHENTICATED attributes

Name Description
audit_request_effective_user The username / principal that failed authentication.
audit_request_initiating_user The user that initiated the request. Only logged if it differs from the effective user, for example when using impersonation. Optional.
audit_rest_request_path The REST endpoint URI
audit_rest_request_params The HTTP request parameters, if any. Optional.
audit_rest_request_headers The HTTP headers, if any. Optional.
audit_request_body The HTTP body, if any and if request body logging is enabled. Optional.

REST SSL_EXCEPTION attributes

Name Description
audit_request_exception_stacktrace The stacktrace of the SSL Exception

REST BAD_HEADERS attributes

Name Description
audit_rest_request_path The REST endpoint URI
audit_rest_request_params The HTTP request parameters, if any. Optional.
audit_rest_request_headers The HTTP headers, if any. Optional.
audit_request_body The HTTP body, if any and if request body logging is enabled. Optional.

REST BLOCKED_USER attributes

Name Description
audit_request_effective_user The username that was being blocked.
audit_rest_request_path The REST endpoint URI
audit_rest_request_params The HTTP request parameters, if any. Optional.
audit_rest_request_headers The HTTP headers, if any. Optional.
audit_request_body The HTTP body, if any and if request body logging is enabled. Optional.

REST BLOCKED_IP attributes

Name Description
audit_rest_request_path The REST endpoint URI
audit_rest_request_params The HTTP request parameters, if any. Optional.
audit_rest_request_headers The HTTP headers, if any. Optional.
audit_request_remote_address The IP that was being blocked.

Transport FAILED_LOGIN attributes

Name Description
audit_trace_task_id The ID of this request
audit_transport_headers The headers of the request, if any. Optional.
audit_request_effective_user The username / principal that failed authentication.
audit_request_initiating_user The user that initiated the request. Only logged if it differs from the effective user, for example when using impersonation. Optional.
audit_transport_request_type The type of request, e.g. IndexRequest, SearchRequest
audit_request_body The body / source, if any and if request body logging is enabled. Optional.
audit_trace_indices The index name(s) as contained in the request. Can contain wildcards, date patterns and aliases. Only logged if resolve_indices is true. Optional.
audit_trace_resolved_indices The resolved, concrete index name(s) affected by this request. Only logged if resolve_indices is true. Optional.
audit_trace_doc_types The document types affecated by this request. Only logged if resolve_indices is true. Optional.

Transport AUTHENTICATED attributes

Name Description
audit_trace_task_id The ID of this request
audit_transport_headers The headers of the request, if any. Optional.
audit_request_effective_user The username / principal that failed authentication.
audit_request_initiating_user The user that initiated the request. Only logged if it differs from the effective user, for example when using impersonation. Optional.
audit_transport_request_type The type of request, e.g. IndexRequest, SearchRequest
audit_request_body The body / source, if any and if request body logging is enabled. Optional.
audit_trace_indices The index name(s) as contained in the request. Can contain wildcards, date patterns and aliases. Only logged if resolve_indices is true. Optional.
audit_trace_resolved_indices The resolved, concrete index name(s) affected by this request. Only logged if resolve_indices is true. Optional.
audit_trace_doc_types The document types affecated by this request. Only logged if resolve_indices is true. Optional.

Transport MISSING_PRIVILEGES attributes

Name Description
audit_trace_task_id The ID of this request
audit_trace_task_parent_id The parent ID of this request, if any. Optional.
audit_transport_headers The headers of the request, if any. Optional.
audit_request_effective_user The username / principal that failed authentication.
audit_request_initiating_user The user that initiated the request. Only logged if it differs from the effective user, for example when using impersonation. Optional.
audit_transport_request_type The type of request, e.g. IndexRequest, SearchRequest
audit_request_privilege The required privilege of the request, e.g. indices:data/read/search
audit_request_body The body / source, if any and if request body logging is enabled. Optional.
audit_trace_indices The index name(s) as contained in the request. Can contain wildcards, date patterns and aliases. Only logged if resolve_indices is true. Optional.
audit_trace_resolved_indices The resolved, concrete index name(s) affected by this request. Only logged if resolve_indices is true. Optional.
audit_trace_doc_types The document types affecated by this request. Only logged if resolve_indices is true. Optional.

Transport GRANTED_PRIVILEGES attributes

Name Description
audit_trace_task_id The ID of this request
audit_trace_task_parent_id The parent ID of this request, if any. Optional.
audit_transport_headers The headers of the request, if any. Optional.
audit_request_effective_user The username / principal that failed authentication.
audit_request_initiating_user The user that initiated the request. Only logged if it differs from the effective user, for example when using impersonation. Optional.
audit_transport_request_type The type of request, e.g. IndexRequest, SearchRequest
audit_request_privilege The required privilege of the request, e.g. indices:data/read/search
audit_request_body The body / source, if any and if request body logging is enabled. Optional.
audit_trace_indices The index name(s) as contained in the request. Can contain wildcards, date patterns and aliases. Only logged if resolve_indices is true. Optional.
audit_trace_resolved_indices The resolved, concrete index name(s) affected by this request. Only logged if resolve_indices is true. Optional.
audit_trace_doc_types The document types affecated by this request. Only logged if resolve_indices is true. Optional.

Transport SSL_EXCEPTION attributes

Name Description
audit_request_exception_stacktrace The stacktrace of the SSL Exception

Transport BAD_HEADERS attributes

Name Description
audit_trace_task_id The ID of this request
audit_trace_task_parent_id The parent ID of this request, if any. Optional.
audit_transport_headers The headers of the request, if any. Optional.
audit_request_effective_user The username / principal that failed authentication.
audit_request_initiating_user The user that initiated the request. Only logged if it differs from the effective user, for example when using impersonation. Optional.
audit_transport_request_type The type of request, e.g. IndexRequest, SearchRequest
audit_request_body The body / source, if any and if request body logging is enabled. Optional.
audit_trace_indices The index name(s) as contained in the request. Can contain wildcards, date patterns and aliases. Only logged if resolve_indices is true. Optional.
audit_trace_resolved_indices The resolved, concrete index name(s) affected by this request. Only logged if resolve_indices is true. Optional.
audit_trace_doc_types The document types affecated by this request. Only logged if resolve_indices is true. Optional.

Transport BLOCKED_USER attributes

Name Description
audit_trace_task_id The ID of this request
audit_transport_headers The headers of the request, if any. Optional.
audit_request_effective_user The username / principal was being blocked.
audit_transport_request_type The type of request, e.g. IndexRequest, SearchRequest
audit_request_body The body / source, if any and if request body logging is enabled. Optional.
audit_trace_indices The index name(s) as contained in the request. Can contain wildcards, date patterns and aliases. Only logged if resolve_indices is true. Optional.
audit_trace_resolved_indices The resolved, concrete index name(s) affected by this request. Only logged if resolve_indices is true. Optional.
audit_trace_doc_types The document types affecated by this request. Only logged if resolve_indices is true. Optional.

Transport BLOCKED_IP attributes

Name Description
audit_request_remote_address The IP that was being blocked.
audit_trace_task_id The ID of this request
audit_trace_task_parent_id The parent ID of this request, if any. Optional.
audit_transport_headers The headers of the request, if any. Optional.
audit_transport_request_type The type of request, e.g. IndexRequest, SearchRequest
audit_request_body The body / source, if any and if request body logging is enabled. Optional.
audit_trace_indices The index name(s) as contained in the request. Can contain wildcards, date patterns and aliases. Only logged if resolve_indices is true. Optional.
audit_trace_resolved_indices The resolved, concrete index name(s) affected by this request. Only logged if resolve_indices is true. Optional.
audit_trace_doc_types The document types affecated by this request. Only logged if resolve_indices is true. Optional.

Transport SG_INDEX_ATTEMPT attributes

Name Description
audit_trace_task_id The ID of this request
audit_transport_headers The headers of the request, if any. Optional.
audit_request_effective_user The username / principal that failed authentication.
audit_request_initiating_user The user that initiated the request. Only logged if it differs from the effective user, for example when using impersonation. Optional.
audit_transport_request_type The type of request, e.g. IndexRequest, SearchRequest
audit_request_body The body / source, if any and if request body logging is enabled. Optional.
audit_trace_indices The index name(s) as contained in the request. Can contain wildcards, date patterns and aliases. Only logged if resolve_indices is true. Optional.
audit_trace_resolved_indices The resolved, concrete index name(s) affected by this request. Only logged if resolve_indices is true. Optional.
audit_trace_doc_types The document types affecated by this request. Only logged if resolve_indices is true. Optional.


Not what you were looking for? Try the search.