Version: SG FLX
Enterprise
Audit Log Field Reference
Content
- Common Attributes
- REST FAILED_LOGIN attributes
- REST AUTHENTICATED attributes
- REST SSL_EXCEPTION attributes
- REST BAD_HEADERS attributes
- REST BLOCKED_USER attributes
- REST BLOCKED_IP attributes
- REST KIBANA_LOGIN attributes
- REST KIBANA_LOGOUT attributes
- Transport FAILED_LOGIN attributes
- Transport AUTHENTICATED attributes
- Transport MISSING_PRIVILEGES attributes
- Transport GRANTED_PRIVILEGES attributes
- Transport SSL_EXCEPTION attributes
- Transport BAD_HEADERS attributes
- Transport BLOCKED_USER attributes
- Transport BLOCKED_IP attributes
- Transport SG_INDEX_ATTEMPT attributes
- Transport INDEX_TEMPLATE_WRITE
- Transport INDEX_WRITE
Common Attributes
The following attributes are logged for all event categories, independent of the layer.
Name | Description |
---|---|
audit_cluster_name | Name of the cluster this event was emitted on. |
audit_format_version | Audit log message format version, current: 3 |
@timestamp | UTC timestamp when the event was generated |
audit_category | Audit log category, one of FAILED_LOGIN, MISSING_PRIVILEGES, BAD_HEADERS, SSL_EXCEPTION, SG_INDEX_ATTEMPT, AUTHENTICATED or GRANTED_PRIVILEGES. |
audit_node_id | The ID of the node where the event was generated. |
audit_node_name | The name of the node where the event was generated. |
audit_node_elasticsearch_version | The Elasticsearch version of the node where the event was generated. |
audit_node_host_address | The host address of the node where the event was generated. |
audit_node_host_name | The host address of the node where the event was generated. |
audit_request_layer | The layer on which the event has been generated. One if TRANSPORT or REST . |
audit_request_origin | The layer from which the event originated. One if TRANSPORT or REST . |
audit_request_effective_user_is_admin | true if the request was made wit an TLS admin certificate, false otherwise. |
audit_request_remote_address | The IP this request originated from. |
REST FAILED_LOGIN attributes
Name | Description |
---|---|
audit_request_effective_user | The username that failed authentication. |
audit_rest_request_path | The REST endpoint URI |
audit_rest_request_params | The HTTP request parameters, if any. Optional. |
audit_rest_request_headers | The HTTP headers, if any. Optional. |
audit_request_initiating_user | The user that initiated the request. Only logged if it differs from the effective user, for example when using impersonation. Optional. |
audit_request_body | The HTTP body, if any and if request body logging is enabled. Optional. |
REST AUTHENTICATED attributes
Name | Description |
---|---|
audit_request_effective_user | The username / principal that failed authentication. |
audit_request_effective_user_auth_domain | The domain that authenticated the user, as defined in sg_authc.yml . E.g. “ldap”, “jwt” |
audit_request_initiating_user | The user that initiated the request. Only logged if it differs from the effective user, for example when using impersonation. Optional. |
audit_request_initiating_user_auth_domain | The domain that authenticated the initiating user. Only logged if it differs from the effective user, for example when using impersonation. Optional. |
audit_rest_request_path | The REST endpoint URI |
audit_rest_request_params | The HTTP request parameters, if any. Optional. |
audit_rest_request_headers | The HTTP headers, if any. Optional. |
audit_request_body | The HTTP body, if any and if request body logging is enabled. Optional. |
REST SSL_EXCEPTION attributes
Name | Description |
---|---|
audit_request_exception_stacktrace | The stacktrace of the SSL Exception |
REST BAD_HEADERS attributes
Name | Description |
---|---|
audit_rest_request_path | The REST endpoint URI |
audit_rest_request_params | The HTTP request parameters, if any. Optional. |
audit_rest_request_headers | The HTTP headers, if any. Optional. |
audit_request_body | The HTTP body, if any and if request body logging is enabled. Optional. |
REST BLOCKED_USER attributes
Name | Description |
---|---|
audit_request_effective_user | The username that was being blocked. |
audit_rest_request_path | The REST endpoint URI |
audit_rest_request_params | The HTTP request parameters, if any. Optional. |
audit_rest_request_headers | The HTTP headers, if any. Optional. |
audit_request_body | The HTTP body, if any and if request body logging is enabled. Optional. |
REST BLOCKED_IP attributes
Name | Description |
---|---|
audit_rest_request_path | The REST endpoint URI |
audit_rest_request_params | The HTTP request parameters, if any. Optional. |
audit_rest_request_headers | The HTTP headers, if any. Optional. |
audit_request_remote_address | The IP that was being blocked. |
REST KIBANA_LOGIN attributes
Name | Description |
---|---|
audit_request_effective_user | The username / principal that logged in to Kibana. |
audit_request_effective_user_auth_domain | The domain that authenticated the user, as defined in sg_authc.yml . E.g. “ldap”, “jwt” |
REST KIBANA_LOGOUT attributes
Name | Description |
---|---|
audit_request_effective_user | The username / principal that logged out of Kibana. |
Transport FAILED_LOGIN attributes
Name | Description |
---|---|
audit_trace_task_id | The ID of this request |
audit_transport_headers | The headers of the request, if any. Optional. |
audit_request_effective_user | The username / principal that failed authentication. |
audit_request_initiating_user | The user that initiated the request. Only logged if it differs from the effective user, for example when using impersonation. Optional. |
audit_request_initiating_user_auth_domain | The domain that authenticated the initiating user. Only logged if it differs from the effective user, for example when using impersonation. Optional. |
audit_transport_request_type | The type of request, e.g. IndexRequest , SearchRequest |
audit_request_body | The body / source, if any and if request body logging is enabled. Optional. |
audit_trace_indices | The index name(s) as contained in the request. Can contain wildcards, date patterns and aliases. Only logged if resolve_indices is true. Optional. |
audit_trace_resolved_indices | The resolved, concrete index name(s) affected by this request. Only logged if resolve_indices is true. Optional. |
audit_trace_doc_types | The document types affected by this request. Only logged if resolve_indices is true. Optional. |
Transport AUTHENTICATED attributes
Name | Description |
---|---|
audit_trace_task_id | The ID of this request |
audit_transport_headers | The headers of the request, if any. Optional. |
audit_request_effective_user | The username / principal that failed authentication. |
audit_request_effective_user_auth_domain | The domain that authenticated the user, as defined in sg_authc.yml . E.g. “ldap”, “jwt” |
audit_request_initiating_user | The user that initiated the request. Only logged if it differs from the effective user, for example when using impersonation. Optional. |
audit_request_initiating_user_auth_domain | The domain that authenticated the initiating user. Only logged if it differs from the effective user, for example when using impersonation. Optional. |
audit_transport_request_type | The type of request, e.g. IndexRequest , SearchRequest |
audit_request_body | The body / source, if any and if request body logging is enabled. Optional. |
audit_trace_indices | The index name(s) as contained in the request. Can contain wildcards, date patterns and aliases. Only logged if resolve_indices is true. Optional. |
audit_trace_resolved_indices | The resolved, concrete index name(s) affected by this request. Only logged if resolve_indices is true. Optional. |
audit_trace_doc_types | The document types affected by this request. Only logged if resolve_indices is true. Optional. |
Transport MISSING_PRIVILEGES attributes
Name | Description |
---|---|
audit_trace_task_id | The ID of this request |
audit_trace_task_parent_id | The parent ID of this request, if any. Optional. |
audit_transport_headers | The headers of the request, if any. Optional. |
audit_request_effective_user | The username / principal that failed authentication. |
audit_request_effective_user_auth_domain | The domain that authenticated the user, as defined in sg_authc.yml . E.g. “ldap”, “jwt” |
audit_request_initiating_user | The user that initiated the request. Only logged if it differs from the effective user, for example when using impersonation. Optional. |
audit_request_initiating_user_auth_domain | The domain that authenticated the initiating user. Only logged if it differs from the effective user, for example when using impersonation. Optional. |
audit_transport_request_type | The type of request, e.g. IndexRequest , SearchRequest |
audit_request_privilege | The required privilege of the request, e.g. indices:data/read/search |
audit_request_body | The body / source, if any and if request body logging is enabled. Optional. |
audit_trace_indices | The index name(s) as contained in the request. Can contain wildcards, date patterns and aliases. Only logged if resolve_indices is true. Optional. |
audit_trace_resolved_indices | The resolved, concrete index name(s) affected by this request. Only logged if resolve_indices is true. Optional. |
audit_trace_doc_types | The document types affected by this request. Only logged if resolve_indices is true. Optional. |
Transport GRANTED_PRIVILEGES attributes
Name | Description |
---|---|
audit_trace_task_id | The ID of this request |
audit_trace_task_parent_id | The parent ID of this request, if any. Optional. |
audit_transport_headers | The headers of the request, if any. Optional. |
audit_request_effective_user | The username / principal that failed authentication. |
audit_request_effective_user_auth_domain | The domain that authenticated the user, as defined in sg_authc.yml . E.g. “ldap”, “jwt” |
audit_request_initiating_user | The user that initiated the request. Only logged if it differs from the effective user, for example when using impersonation. Optional. |
audit_request_initiating_user_auth_domain | The domain that authenticated the initiating user. Only logged if it differs from the effective user, for example when using impersonation. Optional. |
audit_transport_request_type | The type of request, e.g. IndexRequest , SearchRequest |
audit_request_privilege | The required privilege of the request, e.g. indices:data/read/search |
audit_request_body | The body / source, if any and if request body logging is enabled. Optional. |
audit_trace_indices | The index name(s) as contained in the request. Can contain wildcards, date patterns and aliases. Only logged if resolve_indices is true. Optional. |
audit_trace_resolved_indices | The resolved, concrete index name(s) affected by this request. Only logged if resolve_indices is true. Optional. |
audit_trace_doc_types | The document types affected by this request. Only logged if resolve_indices is true. Optional. |
Transport SSL_EXCEPTION attributes
Name | Description |
---|---|
audit_request_exception_stacktrace | The stacktrace of the SSL Exception |
Transport BAD_HEADERS attributes
Name | Description |
---|---|
audit_trace_task_id | The ID of this request |
audit_trace_task_parent_id | The parent ID of this request, if any. Optional. |
audit_transport_headers | The headers of the request, if any. Optional. |
audit_request_effective_user | The username / principal that failed authentication. |
audit_request_initiating_user | The user that initiated the request. Only logged if it differs from the effective user, for example when using impersonation. Optional. |
audit_request_initiating_user_auth_domain | The domain that authenticated the initiating user. Only logged if it differs from the effective user, for example when using impersonation. Optional. |
audit_transport_request_type | The type of request, e.g. IndexRequest , SearchRequest |
audit_request_body | The body / source, if any and if request body logging is enabled. Optional. |
audit_trace_indices | The index name(s) as contained in the request. Can contain wildcards, date patterns and aliases. Only logged if resolve_indices is true. Optional. |
audit_trace_resolved_indices | The resolved, concrete index name(s) affected by this request. Only logged if resolve_indices is true. Optional. |
audit_trace_doc_types | The document types affected by this request. Only logged if resolve_indices is true. Optional. |
Transport BLOCKED_USER attributes
Name | Description |
---|---|
audit_trace_task_id | The ID of this request |
audit_transport_headers | The headers of the request, if any. Optional. |
audit_request_effective_user | The username / principal was being blocked. |
audit_transport_request_type | The type of request, e.g. IndexRequest , SearchRequest |
audit_request_body | The body / source, if any and if request body logging is enabled. Optional. |
audit_trace_indices | The index name(s) as contained in the request. Can contain wildcards, date patterns and aliases. Only logged if resolve_indices is true. Optional. |
audit_trace_resolved_indices | The resolved, concrete index name(s) affected by this request. Only logged if resolve_indices is true. Optional. |
audit_trace_doc_types | The document types affected by this request. Only logged if resolve_indices is true. Optional. |
Transport BLOCKED_IP attributes
Name | Description |
---|---|
audit_request_remote_address | The IP that was being blocked. |
audit_trace_task_id | The ID of this request |
audit_trace_task_parent_id | The parent ID of this request, if any. Optional. |
audit_transport_headers | The headers of the request, if any. Optional. |
audit_transport_request_type | The type of request, e.g. IndexRequest , SearchRequest |
audit_request_body | The body / source, if any and if request body logging is enabled. Optional. |
audit_trace_indices | The index name(s) as contained in the request. Can contain wildcards, date patterns and aliases. Only logged if resolve_indices is true. Optional. |
audit_trace_resolved_indices | The resolved, concrete index name(s) affected by this request. Only logged if resolve_indices is true. Optional. |
audit_trace_doc_types | The document types affected by this request. Only logged if resolve_indices is true. Optional. |
Transport SG_INDEX_ATTEMPT attributes
Name | Description |
---|---|
audit_trace_task_id | The ID of this request |
audit_transport_headers | The headers of the request, if any. Optional. |
audit_request_effective_user | The username / principal that failed authentication. |
audit_request_effective_user_auth_domain | The domain that authenticated the user, as defined in sg_authc.yml . E.g. “ldap”, “jwt” |
audit_request_initiating_user | The user that initiated the request. Only logged if it differs from the effective user, for example when using impersonation. Optional. |
audit_request_initiating_user_auth_domain | The domain that authenticated the initiating user. Only logged if it differs from the effective user, for example when using impersonation. Optional. |
audit_transport_request_type | The type of request, e.g. IndexRequest , SearchRequest |
audit_request_body | The body / source, if any and if request body logging is enabled. Optional. |
audit_trace_indices | The index name(s) as contained in the request. Can contain wildcards, date patterns and aliases. Only logged if resolve_indices is true. Optional. |
audit_trace_resolved_indices | The resolved, concrete index name(s) affected by this request. Only logged if resolve_indices is true. Optional. |
audit_trace_doc_types | The document types affected by this request. Only logged if resolve_indices is true. Optional. |
Transport INDEX_TEMPLATE_WRITE
Name | Description |
---|---|
audit_compliance_operation | The operation on the index template, can be one of CREATE , UPDATE or DELETE . |
audit_request_body | The content of newly created or updated template. |
audit_request_effective_user | The username / principal that created, updated or deleted index template. |
audit_request_effective_user_auth_domain | The domain that authenticated the user, as defined in sg_authc.yml . E.g. “ldap”, “jwt” |
audit_trace_index_templates | Array, the index template(s) as contained in the request. Can contain wildcards. |
Transport INDEX_WRITE
Name | Description |
---|---|
audit_compliance_operation | The operation on the index, index settings or index mappings. In case of operation on the index it can be one of CREATE or DELETE , otherwise it’s always set to UPDATE . |
audit_request_body | The content of newly created index or updated index settings/mappings as contained in the request. |
audit_request_effective_user | The username of the user that has created, modified or deleted indices. |
audit_request_effective_user_auth_domain | The domain that authenticated the user, as defined in sg_authc.yml . E.g. “ldap”, “jwt” |
audit_trace_indices | Array, the index name(s) as contained in the request. Can contain wildcards. |