Audit log field reference

This page contains descriptions for all audit log fields.

Common attributes

The following attributes are logged for all event categories, independent of the layer.

Name Description
audit_format_version The audit log message format version.
audit_category The audit log category, one of FAILED_LOGIN, MISSING_PRIVILEGES, BAD_HEADERS, SSL_EXCEPTION, OPENDISTRO_SECURITY_INDEX_ATTEMPT, AUTHENTICATED or GRANTED_PRIVILEGES.
audit_node_id The ID of the node where the event was generated.
audit_node_name The name of the node where the event was generated.
audit_node_host_address The host address of the node where the event was generated.
audit_node_host_name The host name of the node where the event was generated.
audit_request_layer The layer on which the event has been generated, either TRANSPORT or REST.
audit_request_origin The layer from which the event originated, either TRANSPORT or REST.
audit_request_effective_user_is_admin True if the request was made with a TLS admin certificate, otherwise false.

REST FAILED_LOGIN attributes

Name Description
audit_request_effective_user The username that failed to authenticate.
audit_rest_request_path The REST endpoint URI.
audit_rest_request_params The HTTP request parameters, if any.
audit_rest_request_headers The HTTP headers, if any.
audit_request_initiating_user The user that initiated the request. Only logged if it differs from the effective user.
audit_request_body The HTTP request body, if any (and if request body logging is enabled).

REST AUTHENTICATED attributes

Name Description
audit_request_effective_user The username that failed to authenticate.
audit_request_initiating_user The user that initiated the request. Only logged if it differs from the effective user.
audit_rest_request_path The REST endpoint URI.
audit_rest_request_params The HTTP request parameters, if any.
audit_rest_request_headers The HTTP headers, if any.
audit_request_body The HTTP request body, if any (and if request body logging is enabled).

REST SSL_EXCEPTION attributes

Name Description
audit_request_exception_stacktrace The stack trace of the SSL exception.

REST BAD_HEADERS attributes

Name Description
audit_rest_request_path The REST endpoint URI.
audit_rest_request_params The HTTP request parameters, if any.
audit_rest_request_headers The HTTP headers, if any.
audit_request_body The HTTP request body, if any (and if request body logging is enabled).

Transport FAILED_LOGIN attributes

Name Description
audit_trace_task_id The ID of the request.
audit_transport_headers The headers of the request, if any.
audit_request_effective_user The username that failed to authenticate.
audit_request_initiating_user The user that initiated the request. Only logged if it differs from the effective user.
audit_transport_request_type The type of request (e.g. IndexRequest).
audit_request_body The HTTP request body, if any (and if request body logging is enabled).
audit_trace_indices The index name(s) included in the request. Can contain wildcards, date patterns, and aliases. Only logged if resolve_indices is true.
audit_trace_resolved_indices The resolved index name(s) affected by the request. Only logged if resolve_indices is true.
audit_trace_doc_types The document types affected by the request. Only logged if resolve_indices is true.

Transport AUTHENTICATED attributes

Name Description
audit_trace_task_id The ID of the request.
audit_transport_headers The headers of the request, if any.
audit_request_effective_user The username that failed to authenticate.
audit_request_initiating_user The user that initiated the request. Only logged if it differs from the effective user.
audit_transport_request_type The type of request (e.g. IndexRequest).
audit_request_body The HTTP request body, if any (and if request body logging is enabled).
audit_trace_indices The index name(s) included in the request. Can contain wildcards, date patterns, and aliases. Only logged if resolve_indices is true.
audit_trace_resolved_indices The resolved index name(s) affected by the request. Only logged if resolve_indices is true.
audit_trace_doc_types The document types affected by the request. Only logged if resolve_indices is true.

Transport MISSING_PRIVILEGES attributes

Name Description
audit_trace_task_id The ID of the request.
audit_trace_task_parent_id The parent ID of this request, if any.
audit_transport_headers The headers of the request, if any.
audit_request_effective_user The username that failed to authenticate.
audit_request_initiating_user The user that initiated the request. Only logged if it differs from the effective user.
audit_transport_request_type The type of request (e.g. IndexRequest).
audit_request_privilege The required privilege of the request (e.g. indices:data/read/search).
audit_request_body The HTTP request body, if any (and if request body logging is enabled).
audit_trace_indices The index name(s) included in the request. Can contain wildcards, date patterns, and aliases. Only logged if resolve_indices is true.
audit_trace_resolved_indices The resolved index name(s) affected by the request. Only logged if resolve_indices is true.
audit_trace_doc_types The document types affected by the request. Only logged if resolve_indices is true.

Transport GRANTED_PRIVILEGES attributes

Name Description
audit_trace_task_id The ID of the request.
audit_trace_task_parent_id The parent ID of this request, if any.
audit_transport_headers The headers of the request, if any.
audit_request_effective_user The username that failed to authenticate.
audit_request_initiating_user The user that initiated the request. Only logged if it differs from the effective user.
audit_transport_request_type The type of request (e.g. IndexRequest).
audit_request_privilege The required privilege of the request (e.g. indices:data/read/search).
audit_request_body The HTTP request body, if any (and if request body logging is enabled).
audit_trace_indices The index name(s) included in the request. Can contain wildcards, date patterns, and aliases. Only logged if resolve_indices is true.
audit_trace_resolved_indices The resolved index name(s) affected by the request. Only logged if resolve_indices is true.
audit_trace_doc_types The document types affected by the request. Only logged if resolve_indices is true.

Transport SSL_EXCEPTION attributes

Name Description
audit_request_exception_stacktrace The stack trace of the SSL exception.

Transport BAD_HEADERS attributes

Name Description
audit_trace_task_id The ID of the request.
audit_trace_task_parent_id The parent ID of this request, if any.
audit_transport_headers The headers of the request, if any.
audit_request_effective_user The username that failed to authenticate.
audit_request_initiating_user The user that initiated the request. Only logged if it differs from the effective user.
audit_transport_request_type The type of request (e.g. IndexRequest).
audit_request_body The HTTP request body, if any (and if request body logging is enabled).
audit_trace_indices The index name(s) included in the request. Can contain wildcards, date patterns, and aliases. Only logged if resolve_indices is true.
audit_trace_resolved_indices The resolved index name(s) affected by the request. Only logged if resolve_indices is true.
audit_trace_doc_types The document types affected by the request. Only logged if resolve_indices is true.

Transport OPENDISTRO_SECURITY_INDEX_ATTEMPT attributes

Name Description
audit_trace_task_id The ID of the request.
audit_transport_headers The headers of the request, if any.
audit_request_effective_user The username that failed to authenticate.
audit_request_initiating_user The user that initiated the request. Only logged if it differs from the effective user.
audit_transport_request_type The type of request (e.g. IndexRequest).
audit_request_body The HTTP request body, if any (and if request body logging is enabled).
audit_trace_indices The index name(s) included in the request. Can contain wildcards, date patterns, and aliases. Only logged if resolve_indices is true.
audit_trace_resolved_indices The resolved index name(s) affected by the request. Only logged if resolve_indices is true.
audit_trace_doc_types The document types affected by the request. Only logged if resolve_indices is true.