The Open Distro project is archived. Open Distro development has moved to OpenSearch. The Open Distro plugins will continue to work with legacy versions of Elasticsearch OSS, but we recommend upgrading to OpenSearch to take advantage of the latest features and improvements.
Audit log field reference
This page contains descriptions for all audit log fields.
Common attributes
The following attributes are logged for all event categories, independent of the layer.
| Name | Description |
audit_format_version | The audit log message format version. |
audit_category | The audit log category, one of FAILED_LOGIN, MISSING_PRIVILEGES, BAD_HEADERS, SSL_EXCEPTION, OPENDISTRO_SECURITY_INDEX_ATTEMPT, AUTHENTICATED or GRANTED_PRIVILEGES. |
audit_node_id | The ID of the node where the event was generated. |
audit_node_name | The name of the node where the event was generated. |
audit_node_host_address | The host address of the node where the event was generated. |
audit_node_host_name | The host name of the node where the event was generated. |
audit_request_layer | The layer on which the event has been generated, either TRANSPORT or REST. |
audit_request_origin | The layer from which the event originated, either TRANSPORT or REST. |
audit_request_effective_user_is_admin | True if the request was made with a TLS admin certificate, otherwise false. |
REST FAILED_LOGIN attributes
| Name | Description |
audit_request_effective_user | The username that failed to authenticate. |
audit_rest_request_path | The REST endpoint URI. |
audit_rest_request_params | The HTTP request parameters, if any. |
audit_rest_request_headers | The HTTP headers, if any. |
audit_request_initiating_user | The user that initiated the request. Only logged if it differs from the effective user. |
audit_request_body | The HTTP request body, if any (and if request body logging is enabled). |
REST AUTHENTICATED attributes
| Name | Description |
audit_request_effective_user | The username that failed to authenticate. |
audit_request_initiating_user | The user that initiated the request. Only logged if it differs from the effective user. |
audit_rest_request_path | The REST endpoint URI. |
audit_rest_request_params | The HTTP request parameters, if any. |
audit_rest_request_headers | The HTTP headers, if any. |
audit_request_body | The HTTP request body, if any (and if request body logging is enabled). |
REST SSL_EXCEPTION attributes
| Name | Description |
audit_request_exception_stacktrace | The stack trace of the SSL exception. |
| Name | Description |
audit_rest_request_path | The REST endpoint URI. |
audit_rest_request_params | The HTTP request parameters, if any. |
audit_rest_request_headers | The HTTP headers, if any. |
audit_request_body | The HTTP request body, if any (and if request body logging is enabled). |
Transport FAILED_LOGIN attributes
| Name | Description |
audit_trace_task_id | The ID of the request. |
audit_transport_headers | The headers of the request, if any. |
audit_request_effective_user | The username that failed to authenticate. |
audit_request_initiating_user | The user that initiated the request. Only logged if it differs from the effective user. |
audit_transport_request_type | The type of request (e.g. IndexRequest). |
audit_request_body | The HTTP request body, if any (and if request body logging is enabled). |
audit_trace_indices | The index name(s) included in the request. Can contain wildcards, date patterns, and aliases. Only logged if resolve_indices is true. |
audit_trace_resolved_indices | The resolved index name(s) affected by the request. Only logged if resolve_indices is true. |
audit_trace_doc_types | The document types affected by the request. Only logged if resolve_indices is true. |
Transport AUTHENTICATED attributes
| Name | Description |
audit_trace_task_id | The ID of the request. |
audit_transport_headers | The headers of the request, if any. |
audit_request_effective_user | The username that failed to authenticate. |
audit_request_initiating_user | The user that initiated the request. Only logged if it differs from the effective user. |
audit_transport_request_type | The type of request (e.g. IndexRequest). |
audit_request_body | The HTTP request body, if any (and if request body logging is enabled). |
audit_trace_indices | The index name(s) included in the request. Can contain wildcards, date patterns, and aliases. Only logged if resolve_indices is true. |
audit_trace_resolved_indices | The resolved index name(s) affected by the request. Only logged if resolve_indices is true. |
audit_trace_doc_types | The document types affected by the request. Only logged if resolve_indices is true. |
Transport MISSING_PRIVILEGES attributes
| Name | Description |
audit_trace_task_id | The ID of the request. |
audit_trace_task_parent_id | The parent ID of this request, if any. |
audit_transport_headers | The headers of the request, if any. |
audit_request_effective_user | The username that failed to authenticate. |
audit_request_initiating_user | The user that initiated the request. Only logged if it differs from the effective user. |
audit_transport_request_type | The type of request (e.g. IndexRequest). |
audit_request_privilege | The required privilege of the request (e.g. indices:data/read/search). |
audit_request_body | The HTTP request body, if any (and if request body logging is enabled). |
audit_trace_indices | The index name(s) included in the request. Can contain wildcards, date patterns, and aliases. Only logged if resolve_indices is true. |
audit_trace_resolved_indices | The resolved index name(s) affected by the request. Only logged if resolve_indices is true. |
audit_trace_doc_types | The document types affected by the request. Only logged if resolve_indices is true. |
Transport GRANTED_PRIVILEGES attributes
| Name | Description |
audit_trace_task_id | The ID of the request. |
audit_trace_task_parent_id | The parent ID of this request, if any. |
audit_transport_headers | The headers of the request, if any. |
audit_request_effective_user | The username that failed to authenticate. |
audit_request_initiating_user | The user that initiated the request. Only logged if it differs from the effective user. |
audit_transport_request_type | The type of request (e.g. IndexRequest). |
audit_request_privilege | The required privilege of the request (e.g. indices:data/read/search). |
audit_request_body | The HTTP request body, if any (and if request body logging is enabled). |
audit_trace_indices | The index name(s) included in the request. Can contain wildcards, date patterns, and aliases. Only logged if resolve_indices is true. |
audit_trace_resolved_indices | The resolved index name(s) affected by the request. Only logged if resolve_indices is true. |
audit_trace_doc_types | The document types affected by the request. Only logged if resolve_indices is true. |
Transport SSL_EXCEPTION attributes
| Name | Description |
audit_request_exception_stacktrace | The stack trace of the SSL exception. |
| Name | Description |
audit_trace_task_id | The ID of the request. |
audit_trace_task_parent_id | The parent ID of this request, if any. |
audit_transport_headers | The headers of the request, if any. |
audit_request_effective_user | The username that failed to authenticate. |
audit_request_initiating_user | The user that initiated the request. Only logged if it differs from the effective user. |
audit_transport_request_type | The type of request (e.g. IndexRequest). |
audit_request_body | The HTTP request body, if any (and if request body logging is enabled). |
audit_trace_indices | The index name(s) included in the request. Can contain wildcards, date patterns, and aliases. Only logged if resolve_indices is true. |
audit_trace_resolved_indices | The resolved index name(s) affected by the request. Only logged if resolve_indices is true. |
audit_trace_doc_types | The document types affected by the request. Only logged if resolve_indices is true. |
Transport OPENDISTRO_SECURITY_INDEX_ATTEMPT attributes
| Name | Description |
audit_trace_task_id | The ID of the request. |
audit_transport_headers | The headers of the request, if any. |
audit_request_effective_user | The username that failed to authenticate. |
audit_request_initiating_user | The user that initiated the request. Only logged if it differs from the effective user. |
audit_transport_request_type | The type of request (e.g. IndexRequest). |
audit_request_body | The HTTP request body, if any (and if request body logging is enabled). |
audit_trace_indices | The index name(s) included in the request. Can contain wildcards, date patterns, and aliases. Only logged if resolve_indices is true. |
audit_trace_resolved_indices | The resolved index name(s) affected by the request. Only logged if resolve_indices is true. |
audit_trace_doc_types | The document types affected by the request. Only logged if resolve_indices is true. |