Version: SG FLX
Enterprise

Audit Log Field Reference

Common Attributes

The following attributes are logged for all event categories, independent of the layer.

Name Description
audit_cluster_name Name of the cluster this event was emitted on.
audit_format_version Audit log message format version, current: 3
@timestamp UTC timestamp when the event was generated
audit_category Audit log category, one of FAILED_LOGIN, MISSING_PRIVILEGES, BAD_HEADERS, SSL_EXCEPTION, SG_INDEX_ATTEMPT, AUTHENTICATED or GRANTED_PRIVILEGES.
audit_node_id The ID of the node where the event was generated.
audit_node_name The name of the node where the event was generated.
audit_node_elasticsearch_version The Elasticsearch version of the node where the event was generated.
audit_node_host_address The host address of the node where the event was generated.
audit_node_host_name The host address of the node where the event was generated.
audit_request_layer The layer on which the event has been generated. One if TRANSPORT or REST.
audit_request_origin The layer from which the event originated. One if TRANSPORT or REST.
audit_request_effective_user_is_admin true if the request was made wit an TLS admin certificate, false otherwise.
audit_request_remote_address The IP this request originated from.

REST FAILED_LOGIN attributes

Name Description
audit_request_effective_user The username that failed authentication.
audit_rest_request_path The REST endpoint URI
audit_rest_request_params The HTTP request parameters, if any. Optional.
audit_rest_request_headers The HTTP headers, if any. Optional.
audit_request_initiating_user The user that initiated the request. Only logged if it differs from the effective user, for example when using impersonation. Optional.
audit_request_body The HTTP body, if any and if request body logging is enabled. Optional.

REST AUTHENTICATED attributes

Name Description
audit_request_effective_user The username / principal that failed authentication.
audit_request_effective_user_auth_domain The domain that authenticated the user, as defined in sg_authc.yml. E.g. “ldap”, “jwt”
audit_request_initiating_user The user that initiated the request. Only logged if it differs from the effective user, for example when using impersonation. Optional.
audit_request_initiating_user_auth_domain The domain that authenticated the initiating user. Only logged if it differs from the effective user, for example when using impersonation. Optional.
audit_rest_request_path The REST endpoint URI
audit_rest_request_params The HTTP request parameters, if any. Optional.
audit_rest_request_headers The HTTP headers, if any. Optional.
audit_request_body The HTTP body, if any and if request body logging is enabled. Optional.

REST SSL_EXCEPTION attributes

Name Description
audit_request_exception_stacktrace The stacktrace of the SSL Exception

REST BAD_HEADERS attributes

Name Description
audit_rest_request_path The REST endpoint URI
audit_rest_request_params The HTTP request parameters, if any. Optional.
audit_rest_request_headers The HTTP headers, if any. Optional.
audit_request_body The HTTP body, if any and if request body logging is enabled. Optional.

REST BLOCKED_USER attributes

Name Description
audit_request_effective_user The username that was being blocked.
audit_rest_request_path The REST endpoint URI
audit_rest_request_params The HTTP request parameters, if any. Optional.
audit_rest_request_headers The HTTP headers, if any. Optional.
audit_request_body The HTTP body, if any and if request body logging is enabled. Optional.

REST BLOCKED_IP attributes

Name Description
audit_rest_request_path The REST endpoint URI
audit_rest_request_params The HTTP request parameters, if any. Optional.
audit_rest_request_headers The HTTP headers, if any. Optional.
audit_request_remote_address The IP that was being blocked.

REST KIBANA_LOGIN attributes

Name Description
audit_request_effective_user The username / principal that logged in to Kibana.
audit_request_effective_user_auth_domain The domain that authenticated the user, as defined in sg_authc.yml. E.g. “ldap”, “jwt”

REST KIBANA_LOGOUT attributes

Name Description
audit_request_effective_user The username / principal that logged out of Kibana.

Transport FAILED_LOGIN attributes

Name Description
audit_trace_task_id The ID of this request
audit_transport_headers The headers of the request, if any. Optional.
audit_request_effective_user The username / principal that failed authentication.
audit_request_initiating_user The user that initiated the request. Only logged if it differs from the effective user, for example when using impersonation. Optional.
audit_request_initiating_user_auth_domain The domain that authenticated the initiating user. Only logged if it differs from the effective user, for example when using impersonation. Optional.
audit_transport_request_type The type of request, e.g. IndexRequest, SearchRequest
audit_request_body The body / source, if any and if request body logging is enabled. Optional.
audit_trace_indices The index name(s) as contained in the request. Can contain wildcards, date patterns and aliases. Only logged if resolve_indices is true. Optional.
audit_trace_resolved_indices The resolved, concrete index name(s) affected by this request. Only logged if resolve_indices is true. Optional.
audit_trace_doc_types The document types affected by this request. Only logged if resolve_indices is true. Optional.

Transport AUTHENTICATED attributes

Name Description
audit_trace_task_id The ID of this request
audit_transport_headers The headers of the request, if any. Optional.
audit_request_effective_user The username / principal that failed authentication.
audit_request_effective_user_auth_domain The domain that authenticated the user, as defined in sg_authc.yml. E.g. “ldap”, “jwt”
audit_request_initiating_user The user that initiated the request. Only logged if it differs from the effective user, for example when using impersonation. Optional.
audit_request_initiating_user_auth_domain The domain that authenticated the initiating user. Only logged if it differs from the effective user, for example when using impersonation. Optional.
audit_transport_request_type The type of request, e.g. IndexRequest, SearchRequest
audit_request_body The body / source, if any and if request body logging is enabled. Optional.
audit_trace_indices The index name(s) as contained in the request. Can contain wildcards, date patterns and aliases. Only logged if resolve_indices is true. Optional.
audit_trace_resolved_indices The resolved, concrete index name(s) affected by this request. Only logged if resolve_indices is true. Optional.
audit_trace_doc_types The document types affected by this request. Only logged if resolve_indices is true. Optional.

Transport MISSING_PRIVILEGES attributes

Name Description
audit_trace_task_id The ID of this request
audit_trace_task_parent_id The parent ID of this request, if any. Optional.
audit_transport_headers The headers of the request, if any. Optional.
audit_request_effective_user The username / principal that failed authentication.
audit_request_effective_user_auth_domain The domain that authenticated the user, as defined in sg_authc.yml. E.g. “ldap”, “jwt”
audit_request_initiating_user The user that initiated the request. Only logged if it differs from the effective user, for example when using impersonation. Optional.
audit_request_initiating_user_auth_domain The domain that authenticated the initiating user. Only logged if it differs from the effective user, for example when using impersonation. Optional.
audit_transport_request_type The type of request, e.g. IndexRequest, SearchRequest
audit_request_privilege The required privilege of the request, e.g. indices:data/read/search
audit_request_body The body / source, if any and if request body logging is enabled. Optional.
audit_trace_indices The index name(s) as contained in the request. Can contain wildcards, date patterns and aliases. Only logged if resolve_indices is true. Optional.
audit_trace_resolved_indices The resolved, concrete index name(s) affected by this request. Only logged if resolve_indices is true. Optional.
audit_trace_doc_types The document types affected by this request. Only logged if resolve_indices is true. Optional.

Transport GRANTED_PRIVILEGES attributes

Name Description
audit_trace_task_id The ID of this request
audit_trace_task_parent_id The parent ID of this request, if any. Optional.
audit_transport_headers The headers of the request, if any. Optional.
audit_request_effective_user The username / principal that failed authentication.
audit_request_effective_user_auth_domain The domain that authenticated the user, as defined in sg_authc.yml. E.g. “ldap”, “jwt”
audit_request_initiating_user The user that initiated the request. Only logged if it differs from the effective user, for example when using impersonation. Optional.
audit_request_initiating_user_auth_domain The domain that authenticated the initiating user. Only logged if it differs from the effective user, for example when using impersonation. Optional.
audit_transport_request_type The type of request, e.g. IndexRequest, SearchRequest
audit_request_privilege The required privilege of the request, e.g. indices:data/read/search
audit_request_body The body / source, if any and if request body logging is enabled. Optional.
audit_trace_indices The index name(s) as contained in the request. Can contain wildcards, date patterns and aliases. Only logged if resolve_indices is true. Optional.
audit_trace_resolved_indices The resolved, concrete index name(s) affected by this request. Only logged if resolve_indices is true. Optional.
audit_trace_doc_types The document types affected by this request. Only logged if resolve_indices is true. Optional.

Transport SSL_EXCEPTION attributes

Name Description
audit_request_exception_stacktrace The stacktrace of the SSL Exception

Transport BAD_HEADERS attributes

Name Description
audit_trace_task_id The ID of this request
audit_trace_task_parent_id The parent ID of this request, if any. Optional.
audit_transport_headers The headers of the request, if any. Optional.
audit_request_effective_user The username / principal that failed authentication.
audit_request_initiating_user The user that initiated the request. Only logged if it differs from the effective user, for example when using impersonation. Optional.
audit_request_initiating_user_auth_domain The domain that authenticated the initiating user. Only logged if it differs from the effective user, for example when using impersonation. Optional.
audit_transport_request_type The type of request, e.g. IndexRequest, SearchRequest
audit_request_body The body / source, if any and if request body logging is enabled. Optional.
audit_trace_indices The index name(s) as contained in the request. Can contain wildcards, date patterns and aliases. Only logged if resolve_indices is true. Optional.
audit_trace_resolved_indices The resolved, concrete index name(s) affected by this request. Only logged if resolve_indices is true. Optional.
audit_trace_doc_types The document types affected by this request. Only logged if resolve_indices is true. Optional.

Transport BLOCKED_USER attributes

Name Description
audit_trace_task_id The ID of this request
audit_transport_headers The headers of the request, if any. Optional.
audit_request_effective_user The username / principal was being blocked.
audit_transport_request_type The type of request, e.g. IndexRequest, SearchRequest
audit_request_body The body / source, if any and if request body logging is enabled. Optional.
audit_trace_indices The index name(s) as contained in the request. Can contain wildcards, date patterns and aliases. Only logged if resolve_indices is true. Optional.
audit_trace_resolved_indices The resolved, concrete index name(s) affected by this request. Only logged if resolve_indices is true. Optional.
audit_trace_doc_types The document types affected by this request. Only logged if resolve_indices is true. Optional.

Transport BLOCKED_IP attributes

Name Description
audit_request_remote_address The IP that was being blocked.
audit_trace_task_id The ID of this request
audit_trace_task_parent_id The parent ID of this request, if any. Optional.
audit_transport_headers The headers of the request, if any. Optional.
audit_transport_request_type The type of request, e.g. IndexRequest, SearchRequest
audit_request_body The body / source, if any and if request body logging is enabled. Optional.
audit_trace_indices The index name(s) as contained in the request. Can contain wildcards, date patterns and aliases. Only logged if resolve_indices is true. Optional.
audit_trace_resolved_indices The resolved, concrete index name(s) affected by this request. Only logged if resolve_indices is true. Optional.
audit_trace_doc_types The document types affected by this request. Only logged if resolve_indices is true. Optional.

Transport SG_INDEX_ATTEMPT attributes

Name Description
audit_trace_task_id The ID of this request
audit_transport_headers The headers of the request, if any. Optional.
audit_request_effective_user The username / principal that failed authentication.
audit_request_effective_user_auth_domain The domain that authenticated the user, as defined in sg_authc.yml. E.g. “ldap”, “jwt”
audit_request_initiating_user The user that initiated the request. Only logged if it differs from the effective user, for example when using impersonation. Optional.
audit_request_initiating_user_auth_domain The domain that authenticated the initiating user. Only logged if it differs from the effective user, for example when using impersonation. Optional.
audit_transport_request_type The type of request, e.g. IndexRequest, SearchRequest
audit_request_body The body / source, if any and if request body logging is enabled. Optional.
audit_trace_indices The index name(s) as contained in the request. Can contain wildcards, date patterns and aliases. Only logged if resolve_indices is true. Optional.
audit_trace_resolved_indices The resolved, concrete index name(s) affected by this request. Only logged if resolve_indices is true. Optional.
audit_trace_doc_types The document types affected by this request. Only logged if resolve_indices is true. Optional.

Transport INDEX_TEMPLATE_WRITE

Name Description
audit_compliance_operation The operation on the index template, can be one of CREATE, UPDATE or DELETE.
audit_request_body The content of newly created or updated template.
audit_request_effective_user The username / principal that created, updated or deleted index template.
audit_request_effective_user_auth_domain The domain that authenticated the user, as defined in sg_authc.yml. E.g. “ldap”, “jwt”
audit_trace_index_templates Array, the index template(s) as contained in the request. Can contain wildcards.

Transport INDEX_WRITE

Name Description
audit_compliance_operation The operation on the index, index settings or index mappings. In case of operation on the index it can be one of CREATE or DELETE, otherwise it’s always set to UPDATE.
audit_request_body The content of newly created index or updated index settings/mappings as contained in the request.
audit_request_effective_user The username of the user that has created, modified or deleted indices.
audit_request_effective_user_auth_domain The domain that authenticated the user, as defined in sg_authc.yml. E.g. “ldap”, “jwt”
audit_trace_indices Array, the index name(s) as contained in the request. Can contain wildcards.


Not what you were looking for? Try the search.