Audit event types
editAudit event types
editEach request may generate multiple audit events. The following is a list of the events that can be generated:
|
Logged when a request is denied due to a missing authentication token. |
||
|
Logged when a user successfully authenticates. |
||
|
Logged when the authentication token cannot be matched to a known user. |
||
|
Logged for every realm that fails to present a valid
authentication token. |
||
|
Logged when an authenticated user attempts to execute an action they do not have the necessary privilege to perform. |
||
|
Logged when an authenticated user attempts to execute
an action they have the necessary privilege to perform.
When the |
||
|
Logged when an authenticated user attempts to run as another user that they have the necessary privileges to do. |
||
|
Logged when an authenticated user attempts to run as another user action they do not have the necessary privilege to do so. |
||
|
Logged when X-Pack security detects that the request has
been tampered with. Typically relates to |
||
|
Logged when an incoming TCP connection passes the IP Filter for a specific profile. |
||
|
Logged when an incoming TCP connection does not pass the IP Filter for a specific profile. |
Audit event attributes
editThe following table shows the common attributes that can be associated with every event.
Table 39. Common attributes
Attribute | Description |
---|---|
|
When the event occurred. |
|
The name of the node. |
|
The hostname of the node. |
|
The IP address of the node. |
|
The layer from which this event originated: |
|
The type of event that occurred: |
The following tables show the attributes that can be associated with each type of event. The log level determines which attributes are included in a log entry.
Table 40. REST anonymous_access_denied attributes
Attribute | Description |
---|---|
|
The IP address from which the request originated. |
|
The REST endpoint URI. |
|
The body of the request, if enabled. |
Table 41. REST authentication_success attributes
Attribute | Description |
---|---|
|
The authenticated user. |
|
The realm that authenticated the user. |
|
The REST endpoint URI. |
|
The REST URI query parameters. |
|
The body of the request, if enabled. |
Table 42. REST authentication_failed attributes
Attribute | Description |
---|---|
|
The IP address from which the request originated. |
|
The principal (username) that failed authentication. |
|
The REST endpoint URI. |
|
The body of the request, if enabled. |
Table 43. REST realm_authentication_failed attributes
Attribute | Description |
---|---|
|
The IP address from which the request originated. |
|
The principal (username) that failed authentication. |
|
The REST endpoint URI. |
|
The body of the request, if enabled. |
|
The realm that failed to authenticate the user. NOTE: A separate entry is logged for each consulted realm. |
Table 44. Transport anonymous_access_denied attributes
Attribute | Description |
---|---|
|
Where the request originated: |
|
The IP address from which the request originated. |
|
The name of the action that was executed. |
|
The type of request that was executed. |
|
A comma-separated list of indices this request pertains to (when applicable). |
Table 45. Transport authentication_success attributes
Attribute | Description |
---|---|
|
Where the request originated: |
|
The IP address from which the request originated. |
|
The authenticated user. |
|
The realm that authenticated the user. |
|
The name of the action that was executed. |
|
The type of request that was executed. |
Table 46. Transport authentication_failed attributes
Attribute | Description |
---|---|
|
Where the request originated: |
|
The IP address from which the request originated. |
|
The principal (username) that failed authentication. |
|
The name of the action that was executed. |
|
The type of request that was executed. |
|
A comma-separated list of indices this request pertains to (when applicable). |
Table 47. Transport realm_authentication_failed attributes
Attribute | Description |
---|---|
|
Where the request originated: |
|
The IP address from which the request originated. |
|
The principal (username) that failed authentication. |
|
The name of the action that was executed. |
|
The type of request that was executed. |
|
A comma-separated list of indices this request pertains to (when applicable). |
|
The realm that failed to authenticate the user. NOTE: A separate entry is logged for each consulted realm. |
Table 48. Transport access_granted attributes
Attribute | Description |
---|---|
|
Where the request originated: |
|
The IP address from which the request originated. |
|
The principal (username) that passed authentication. |
|
The set of roles granting permissions. |
|
The name of the action that was executed. |
|
The type of request that was executed. |
|
A comma-separated list of indices this request pertains to (when applicable). |
Table 49. Transport access_denied attributes
Attribute | Description |
---|---|
|
Where the request originated: |
|
The IP address from which the request originated. |
|
The principal (username) that failed authentication. |
|
The set of roles granting permissions. |
|
The name of the action that was executed. |
|
The type of request that was executed. |
|
A comma-separated list of indices this request relates to (when applicable). |
Table 50. Transport tampered_request attributes
Attribute | Description |
---|---|
|
Where the request originated: |
|
The IP address from which the request originated. |
|
The principal (username) that failed to authenticate. |
|
The name of the action that was executed. |
|
The type of request that was executed. |
|
A comma-separated list of indices this request pertains to (when applicable). |
Table 51. IP filter connection_granted attributes
Attribute | Description |
---|---|
|
The IP address from which the request originated. |
|
The transport profile the request targeted. |
|
The IP filtering rule that granted the request. |
Table 52. IP filter connection_denied attributes
Attribute | Description |
---|---|
|
The IP address from which the request originated. |
|
The transport profile the request targeted. |
|
The IP filtering rule that denied the request. |