Version: SG FLX
Enterprise
Audit Log Field Reference
Content
- Common Attributes
- REST FAILED_LOGIN attributes
- REST AUTHENTICATED attributes
- REST SSL_EXCEPTION attributes
- REST BAD_HEADERS attributes
- REST BLOCKED_USER attributes
- REST BLOCKED_IP attributes
- REST KIBANA_LOGIN attributes
- REST KIBANA_LOGOUT attributes
- Transport FAILED_LOGIN attributes
- Transport AUTHENTICATED attributes
- Transport MISSING_PRIVILEGES attributes
- Transport GRANTED_PRIVILEGES attributes
- Transport SSL_EXCEPTION attributes
- Transport BAD_HEADERS attributes
- Transport BLOCKED_USER attributes
- Transport BLOCKED_IP attributes
- Transport SG_INDEX_ATTEMPT attributes
- Transport INDEX_TEMPLATE_WRITE
- Transport INDEX_WRITE
Common Attributes
The following attributes are logged for all event categories, independent of the layer.
| Name | Description |
|---|---|
| audit_cluster_name | Name of the cluster this event was emitted on. |
| audit_format_version | Audit log message format version, current: 3 |
| @timestamp | UTC timestamp when the event was generated |
| audit_category | Audit log category, one of FAILED_LOGIN, MISSING_PRIVILEGES, BAD_HEADERS, SSL_EXCEPTION, SG_INDEX_ATTEMPT, AUTHENTICATED or GRANTED_PRIVILEGES. |
| audit_node_id | The ID of the node where the event was generated. |
| audit_node_name | The name of the node where the event was generated. |
| audit_node_elasticsearch_version | The Elasticsearch version of the node where the event was generated. |
| audit_node_host_address | The host address of the node where the event was generated. |
| audit_node_host_name | The host address of the node where the event was generated. |
| audit_request_layer | The layer on which the event has been generated. One if TRANSPORT or REST. |
| audit_request_origin | The layer from which the event originated. One if TRANSPORT or REST. |
| audit_request_effective_user_is_admin | true if the request was made wit an TLS admin certificate, false otherwise. |
| audit_request_remote_address | The IP this request originated from. |
REST FAILED_LOGIN attributes
| Name | Description |
|---|---|
| audit_request_effective_user | The username that failed authentication. |
| audit_rest_request_path | The REST endpoint URI |
| audit_rest_request_params | The HTTP request parameters, if any. Optional. |
| audit_rest_request_headers | The HTTP headers, if any. Optional. |
| audit_request_initiating_user | The user that initiated the request. Only logged if it differs from the effective user, for example when using impersonation. Optional. |
| audit_request_body | The HTTP body, if any and if request body logging is enabled Optional. |
REST AUTHENTICATED attributes
| Name | Description |
|---|---|
| audit_request_effective_user | The username / principal that failed authentication. |
| audit_request_effective_user_auth_domain | The domain that authenticated the user, as defined in sg_authc.yml. E.g. “ldap”, “jwt” |
| audit_request_initiating_user | The user that initiated the request. Only logged if it differs from the effective user, for example when using impersonation. Optional. |
| audit_request_initiating_user_auth_domain | The domain that authenticated the initiating user. Only logged if it differs from the effective user, for example when using impersonation. Optional. |
| audit_rest_request_path | The REST endpoint URI |
| audit_rest_request_params | The HTTP request parameters, if any. Optional. |
| audit_rest_request_headers | The HTTP headers, if any. Optional. |
| audit_request_body | The HTTP body, if any and if request body logging is enabled. Optional. |
REST SSL_EXCEPTION attributes
| Name | Description |
|---|---|
| audit_request_exception_stacktrace | The stacktrace of the SSL Exception |
REST BAD_HEADERS attributes
| Name | Description |
|---|---|
| audit_rest_request_path | The REST endpoint URI |
| audit_rest_request_params | The HTTP request parameters, if any. Optional. |
| audit_rest_request_headers | The HTTP headers, if any. Optional. |
| audit_request_body | The HTTP body, if any and if request body logging is enabled. Optional. |
REST BLOCKED_USER attributes
| Name | Description |
|---|---|
| audit_request_effective_user | The username that was being blocked. |
| audit_rest_request_path | The REST endpoint URI |
| audit_rest_request_params | The HTTP request parameters, if any. Optional. |
| audit_rest_request_headers | The HTTP headers, if any. Optional. |
| audit_request_body | The HTTP body, if any and if request body logging is enabled. Optional. |
REST BLOCKED_IP attributes
| Name | Description |
|---|---|
| audit_rest_request_path | The REST endpoint URI |
| audit_rest_request_params | The HTTP request parameters, if any. Optional. |
| audit_rest_request_headers | The HTTP headers, if any. Optional. |
| audit_request_remote_address | The IP that was being blocked. |
REST KIBANA_LOGIN attributes
| Name | Description |
|---|---|
| audit_request_effective_user | The username / principal that logged in to Kibana. |
| audit_request_effective_user_auth_domain | The domain that authenticated the user, as defined in sg_authc.yml. E.g. “ldap”, “jwt” |
REST KIBANA_LOGOUT attributes
| Name | Description |
|---|---|
| audit_request_effective_user | The username / principal that logged out of Kibana. |
Transport FAILED_LOGIN attributes
| Name | Description |
|---|---|
| audit_trace_task_id | The ID of this request |
| audit_transport_headers | The headers of the request, if any. Optional. |
| audit_request_effective_user | The username / principal that failed authentication. |
| audit_request_initiating_user | The user that initiated the request. Only logged if it differs from the effective user, for example when using impersonation. Optional. |
| audit_request_initiating_user_auth_domain | The domain that authenticated the initiating user. Only logged if it differs from the effective user, for example when using impersonation. Optional. |
| audit_transport_request_type | The type of request, e.g. IndexRequest, SearchRequest |
| audit_request_body | The body / source, if any and if request body logging is enabled. Optional. |
| audit_trace_indices | The index name(s) as contained in the request. Can contain wildcards, date patterns and aliases. Only logged if resolve_indices is true. Optional. |
| audit_trace_resolved_indices | The resolved, concrete index name(s) affected by this request. Only logged if resolve_indices is true. Optional. |
| audit_trace_doc_types | The document types affected by this request. Only logged if resolve_indices is true. Optional. |
Transport AUTHENTICATED attributes
| Name | Description |
|---|---|
| audit_trace_task_id | The ID of this request |
| audit_transport_headers | The headers of the request, if any. Optional. |
| audit_request_effective_user | The username / principal that failed authentication. |
| audit_request_effective_user_auth_domain | The domain that authenticated the user, as defined in sg_authc.yml. E.g. “ldap”, “jwt” |
| audit_request_initiating_user | The user that initiated the request. Only logged if it differs from the effective user, for example when using impersonation. Optional. |
| audit_request_initiating_user_auth_domain | The domain that authenticated the initiating user. Only logged if it differs from the effective user, for example when using impersonation. Optional. |
| audit_transport_request_type | The type of request, e.g. IndexRequest, SearchRequest |
| audit_request_body | The body / source, if any and if request body logging is enabled. Optional. |
| audit_trace_indices | The index name(s) as contained in the request. Can contain wildcards, date patterns and aliases. Only logged if resolve_indices is true. Optional. |
| audit_trace_resolved_indices | The resolved, concrete index name(s) affected by this request. Only logged if resolve_indices is true. Optional. |
| audit_trace_doc_types | The document types affected by this request. Only logged if resolve_indices is true. Optional. |
Transport MISSING_PRIVILEGES attributes
| Name | Description |
|---|---|
| audit_trace_task_id | The ID of this request |
| audit_trace_task_parent_id | The parent ID of this request, if any. Optional. |
| audit_transport_headers | The headers of the request, if any. Optional. |
| audit_request_effective_user | The username / principal that failed authentication. |
| audit_request_effective_user_auth_domain | The domain that authenticated the user, as defined in sg_authc.yml. E.g. “ldap”, “jwt” |
| audit_request_initiating_user | The user that initiated the request. Only logged if it differs from the effective user, for example when using impersonation. Optional. |
| audit_request_initiating_user_auth_domain | The domain that authenticated the initiating user. Only logged if it differs from the effective user, for example when using impersonation. Optional. |
| audit_transport_request_type | The type of request, e.g. IndexRequest, SearchRequest |
| audit_request_privilege | The required privilege of the request, e.g. indices:data/read/search |
| audit_request_body | The body / source, if any and if request body logging is enabled. Optional. |
| audit_trace_indices | The index name(s) as contained in the request. Can contain wildcards, date patterns and aliases. Only logged if resolve_indices is true. Optional. |
| audit_trace_resolved_indices | The resolved, concrete index name(s) affected by this request. Only logged if resolve_indices is true. Optional. |
| audit_trace_doc_types | The document types affected by this request. Only logged if resolve_indices is true. Optional. |
Transport GRANTED_PRIVILEGES attributes
| Name | Description |
|---|---|
| audit_trace_task_id | The ID of this request |
| audit_trace_task_parent_id | The parent ID of this request, if any. Optional. |
| audit_transport_headers | The headers of the request, if any. Optional. |
| audit_request_effective_user | The username / principal that failed authentication. |
| audit_request_effective_user_auth_domain | The domain that authenticated the user, as defined in sg_authc.yml. E.g. “ldap”, “jwt” |
| audit_request_initiating_user | The user that initiated the request. Only logged if it differs from the effective user, for example when using impersonation. Optional. |
| audit_request_initiating_user_auth_domain | The domain that authenticated the initiating user. Only logged if it differs from the effective user, for example when using impersonation. Optional. |
| audit_transport_request_type | The type of request, e.g. IndexRequest, SearchRequest |
| audit_request_privilege | The required privilege of the request, e.g. indices:data/read/search |
| audit_request_body | The body / source, if any and if request body logging is enabled. Optional. |
| audit_trace_indices | The index name(s) as contained in the request. Can contain wildcards, date patterns and aliases. Only logged if resolve_indices is true. Optional. |
| audit_trace_resolved_indices | The resolved, concrete index name(s) affected by this request. Only logged if resolve_indices is true. Optional. |
| audit_trace_doc_types | The document types affected by this request. Only logged if resolve_indices is true. Optional. |
Transport SSL_EXCEPTION attributes
| Name | Description |
|---|---|
| audit_request_exception_stacktrace | The stacktrace of the SSL Exception |
Transport BAD_HEADERS attributes
| Name | Description |
|---|---|
| audit_trace_task_id | The ID of this request |
| audit_trace_task_parent_id | The parent ID of this request, if any. Optional. |
| audit_transport_headers | The headers of the request, if any. Optional. |
| audit_request_effective_user | The username / principal that failed authentication. |
| audit_request_initiating_user | The user that initiated the request. Only logged if it differs from the effective user, for example when using impersonation. Optional. |
| audit_request_initiating_user_auth_domain | The domain that authenticated the initiating user. Only logged if it differs from the effective user, for example when using impersonation. Optional. |
| audit_transport_request_type | The type of request, e.g. IndexRequest, SearchRequest |
| audit_request_body | The body / source, if any and if request body logging is enabled. Optional. |
| audit_trace_indices | The index name(s) as contained in the request. Can contain wildcards, date patterns and aliases. Only logged if resolve_indices is true. Optional. |
| audit_trace_resolved_indices | The resolved, concrete index name(s) affected by this request. Only logged if resolve_indices is true. Optional. |
| audit_trace_doc_types | The document types affected by this request. Only logged if resolve_indices is true. Optional. |
Transport BLOCKED_USER attributes
| Name | Description |
|---|---|
| audit_trace_task_id | The ID of this request |
| audit_transport_headers | The headers of the request, if any. Optional. |
| audit_request_effective_user | The username / principal was being blocked. |
| audit_transport_request_type | The type of request, e.g. IndexRequest, SearchRequest |
| audit_request_body | The body / source, if any and if request body logging is enabled. Optional. |
| audit_trace_indices | The index name(s) as contained in the request. Can contain wildcards, date patterns and aliases. Only logged if resolve_indices is true. Optional. |
| audit_trace_resolved_indices | The resolved, concrete index name(s) affected by this request. Only logged if resolve_indices is true. Optional. |
| audit_trace_doc_types | The document types affected by this request. Only logged if resolve_indices is true. Optional. |
Transport BLOCKED_IP attributes
| Name | Description |
|---|---|
| audit_request_remote_address | The IP that was being blocked. |
| audit_trace_task_id | The ID of this request |
| audit_trace_task_parent_id | The parent ID of this request, if any. Optional. |
| audit_transport_headers | The headers of the request, if any. Optional. |
| audit_transport_request_type | The type of request, e.g. IndexRequest, SearchRequest |
| audit_request_body | The body / source, if any and if request body logging is enabled. Optional. |
| audit_trace_indices | The index name(s) as contained in the request. Can contain wildcards, date patterns and aliases. Only logged if resolve_indices is true. Optional. |
| audit_trace_resolved_indices | The resolved, concrete index name(s) affected by this request. Only logged if resolve_indices is true. Optional. |
| audit_trace_doc_types | The document types affected by this request. Only logged if resolve_indices is true. Optional. |
Transport SG_INDEX_ATTEMPT attributes
| Name | Description |
|---|---|
| audit_trace_task_id | The ID of this request |
| audit_transport_headers | The headers of the request, if any. Optional. |
| audit_request_effective_user | The username / principal that failed authentication. |
| audit_request_effective_user_auth_domain | The domain that authenticated the user, as defined in sg_authc.yml. E.g. “ldap”, “jwt” |
| audit_request_initiating_user | The user that initiated the request. Only logged if it differs from the effective user, for example when using impersonation. Optional. |
| audit_request_initiating_user_auth_domain | The domain that authenticated the initiating user. Only logged if it differs from the effective user, for example when using impersonation. Optional. |
| audit_transport_request_type | The type of request, e.g. IndexRequest, SearchRequest |
| audit_request_body | The body / source, if any and if request body logging is enabled. Optional. |
| audit_trace_indices | The index name(s) as contained in the request. Can contain wildcards, date patterns and aliases. Only logged if resolve_indices is true. Optional. |
| audit_trace_resolved_indices | The resolved, concrete index name(s) affected by this request. Only logged if resolve_indices is true. Optional. |
| audit_trace_doc_types | The document types affected by this request. Only logged if resolve_indices is true. Optional. |
Transport INDEX_TEMPLATE_WRITE
| Name | Description |
|---|---|
| audit_compliance_operation | The operation on the index template, can be one of CREATE, UPDATE or DELETE. |
| audit_request_body | The content of newly created or updated template. |
| audit_request_effective_user | The username / principal that created, updated or deleted index template. |
| audit_request_effective_user_auth_domain | The domain that authenticated the user, as defined in sg_authc.yml. E.g. “ldap”, “jwt” |
| audit_trace_index_templates | Array, the index template(s) as contained in the request. Can contain wildcards. |
Transport INDEX_WRITE
| Name | Description |
|---|---|
| audit_compliance_operation | The operation on the index, index settings or index mappings. In case of operation on the index it can be one of CREATE or DELETE, otherwise it’s always set to UPDATE. |
| audit_request_body | The content of newly created index or updated index settings/mappings as contained in the request. |
| audit_request_effective_user | The username of the user that has created, modified or deleted indices. |
| audit_request_effective_user_auth_domain | The domain that authenticated the user, as defined in sg_authc.yml. E.g. “ldap”, “jwt” |
| audit_trace_indices | Array, the index name(s) as contained in the request. Can contain wildcards. |