Audit log field reference
This page contains descriptions for all audit log fields.
Common attributes
The following attributes are logged for all event categories, independent of the layer.
Name |
Description |
audit_format_version |
The audit log message format version. |
audit_utc_timestamp |
The UTC timestamp for the event. |
audit_category |
The audit log category, one of FAILED_LOGIN, MISSING_PRIVILEGES, BAD_HEADERS, SSL_EXCEPTION, OPENDISTRO_SECURITY_INDEX_ATTEMPT, AUTHENTICATED or GRANTED_PRIVILEGES. |
audit_node_id |
The ID of the node where the event was generated. |
audit_node_name |
The name of the node where the event was generated. |
audit_node_host_address |
The host address of the node where the event was generated. |
audit_node_host_name |
The host name of the node where the event was generated. |
audit_request_layer |
The layer on which the event has been generated, either TRANSPORT or REST. |
audit_request_origin |
The layer from which the event originated, either TRANSPORT or REST. |
audit_request_effective_user_is_admin |
True if the request was made with a TLS admin certificate, otherwise false. |
REST FAILED_LOGIN attributes
Name |
Description |
audit_request_effective_user |
The username that failed to authenticate. |
audit_rest_request_path |
The REST endpoint URI. |
audit_rest_request_params |
The HTTP request parameters, if any. |
audit_rest_request_headers |
The HTTP headers, if any. |
audit_request_initiating_user |
The user that initiated the request. Only logged if it differs from the effective user. |
audit_request_body |
The HTTP request body, if any (and if request body logging is enabled). |
REST AUTHENTICATED attributes
Name |
Description |
audit_request_effective_user |
The username that failed to authenticate. |
audit_request_initiating_user |
The user that initiated the request. Only logged if it differs from the effective user. |
audit_rest_request_path |
The REST endpoint URI. |
audit_rest_request_params |
The HTTP request parameters, if any. |
audit_rest_request_headers |
The HTTP headers, if any. |
audit_request_body |
The HTTP request body, if any (and if request body logging is enabled). |
REST SSL_EXCEPTION attributes
Name |
Description |
audit_request_exception_stacktrace |
The stack trace of the SSL exception. |
Name |
Description |
audit_rest_request_path |
The REST endpoint URI. |
audit_rest_request_params |
The HTTP request parameters, if any. |
audit_rest_request_headers |
The HTTP headers, if any. |
audit_request_body |
The HTTP request body, if any (and if request body logging is enabled). |
Transport FAILED_LOGIN attributes
Name |
Description |
audit_trace_task_id |
The ID of the request. |
audit_transport_headers |
The headers of the request, if any. |
audit_request_effective_user |
The username that failed to authenticate. |
audit_request_initiating_user |
The user that initiated the request. Only logged if it differs from the effective user. |
audit_transport_request_type |
The type of request (e.g. IndexRequest ). |
audit_request_body |
The HTTP request body, if any (and if request body logging is enabled). |
audit_trace_indices |
The index name(s) included in the request. Can contain wildcards, date patterns, and aliases. Only logged if resolve_indices is true. |
audit_trace_resolved_indices |
The resolved index name(s) affected by the request. Only logged if resolve_indices is true. |
audit_trace_doc_types |
The document types affected by the request. Only logged if resolve_indices is true. |
Transport AUTHENTICATED attributes
Name |
Description |
audit_trace_task_id |
The ID of the request. |
audit_transport_headers |
The headers of the request, if any. |
audit_request_effective_user |
The username that failed to authenticate. |
audit_request_initiating_user |
The user that initiated the request. Only logged if it differs from the effective user. |
audit_transport_request_type |
The type of request (e.g. IndexRequest ). |
audit_request_body |
The HTTP request body, if any (and if request body logging is enabled). |
audit_trace_indices |
The index name(s) included in the request. Can contain wildcards, date patterns, and aliases. Only logged if resolve_indices is true. |
audit_trace_resolved_indices |
The resolved index name(s) affected by the request. Only logged if resolve_indices is true. |
audit_trace_doc_types |
The document types affected by the request. Only logged if resolve_indices is true. |
Transport MISSING_PRIVILEGES attributes
Name |
Description |
audit_trace_task_id |
The ID of the request. |
audit_trace_task_parent_id |
The parent ID of this request, if any. |
audit_transport_headers |
The headers of the request, if any. |
audit_request_effective_user |
The username that failed to authenticate. |
audit_request_initiating_user |
The user that initiated the request. Only logged if it differs from the effective user. |
audit_transport_request_type |
The type of request (e.g. IndexRequest ). |
audit_request_privilege |
The required privilege of the request (e.g. indices:data/read/search ). |
audit_request_body |
The HTTP request body, if any (and if request body logging is enabled). |
audit_trace_indices |
The index name(s) included in the request. Can contain wildcards, date patterns, and aliases. Only logged if resolve_indices is true. |
audit_trace_resolved_indices |
The resolved index name(s) affected by the request. Only logged if resolve_indices is true. |
audit_trace_doc_types |
The document types affected by the request. Only logged if resolve_indices is true. |
Transport GRANTED_PRIVILEGES attributes
Name |
Description |
audit_trace_task_id |
The ID of the request. |
audit_trace_task_parent_id |
The parent ID of this request, if any. |
audit_transport_headers |
The headers of the request, if any. |
audit_request_effective_user |
The username that failed to authenticate. |
audit_request_initiating_user |
The user that initiated the request. Only logged if it differs from the effective user. |
audit_transport_request_type |
The type of request (e.g. IndexRequest ). |
audit_request_privilege |
The required privilege of the request (e.g. indices:data/read/search ). |
audit_request_body |
The HTTP request body, if any (and if request body logging is enabled). |
audit_trace_indices |
The index name(s) included in the request. Can contain wildcards, date patterns, and aliases. Only logged if resolve_indices is true. |
audit_trace_resolved_indices |
The resolved index name(s) affected by the request. Only logged if resolve_indices is true. |
audit_trace_doc_types |
The document types affected by the request. Only logged if resolve_indices is true. |
Transport SSL_EXCEPTION attributes
Name |
Description |
audit_request_exception_stacktrace |
The stack trace of the SSL exception. |
Name |
Description |
audit_trace_task_id |
The ID of the request. |
audit_trace_task_parent_id |
The parent ID of this request, if any. |
audit_transport_headers |
The headers of the request, if any. |
audit_request_effective_user |
The username that failed to authenticate. |
audit_request_initiating_user |
The user that initiated the request. Only logged if it differs from the effective user. |
audit_transport_request_type |
The type of request (e.g. IndexRequest ). |
audit_request_body |
The HTTP request body, if any (and if request body logging is enabled). |
audit_trace_indices |
The index name(s) included in the request. Can contain wildcards, date patterns, and aliases. Only logged if resolve_indices is true. |
audit_trace_resolved_indices |
The resolved index name(s) affected by the request. Only logged if resolve_indices is true. |
audit_trace_doc_types |
The document types affected by the request. Only logged if resolve_indices is true. |
Transport OPENDISTRO_SECURITY_INDEX_ATTEMPT attributes
Name |
Description |
audit_trace_task_id |
The ID of the request. |
audit_transport_headers |
The headers of the request, if any. |
audit_request_effective_user |
The username that failed to authenticate. |
audit_request_initiating_user |
The user that initiated the request. Only logged if it differs from the effective user. |
audit_transport_request_type |
The type of request (e.g. IndexRequest ). |
audit_request_body |
The HTTP request body, if any (and if request body logging is enabled). |
audit_trace_indices |
The index name(s) included in the request. Can contain wildcards, date patterns, and aliases. Only logged if resolve_indices is true. |
audit_trace_resolved_indices |
The resolved index name(s) affected by the request. Only logged if resolve_indices is true. |
audit_trace_doc_types |
The document types affected by the request. Only logged if resolve_indices is true. |