Audit Log Concepts on Confluent Cloud
Confluent Cloud audit logs provide security monitoring and compliance capabilities for your cloud infrastructure. They capture a record of user interactions, administrative operations, and system access across all Confluent Cloud services.
The primary value of audit logs is that they provide data you can use to assess security risks in your Confluent Cloud clusters. They contain all the information necessary to follow a user’s interaction with your Confluent Cloud clusters, and provide a way to:
Track user and application access
Identify abnormal behavior and anomalies
Proactively monitor and resolve security risks
Meet regulatory compliance requirements
Investigate security incidents and policy violations
Monitor resource usage and operational changes
How audit logs work
Confluent Cloud audit logs capture, protect, and preserve Apache Kafka® authentication actions, authorization actions, and organization operations for activity occurring on Standard, Enterprise, Dedicated, and Freight clusters. Confluent Cloud writes these records to an independent audit log cluster. Specifically, audit logs record the runtime decisions of the permission checks that occur as users and service accounts connect to clusters and attempt to take actions that are protected by access control lists (ACLs) or role-based access control (RBAC). Audit logs also track organization operations to create, delete, and modify Confluent Cloud resources, such as API keys, Kafka clusters, user accounts, service accounts, single sign-on (SSO) connections, and connectors.
Each auditable event record includes information about who tried to do what, when they tried, and whether the system gave permission to proceed. Auditable event messages are emitted at the time of event occurrence. However, short delays or gaps during operational maintenance are possible, although rare.
Audit log storage and retention
Within Confluent Cloud, all audit log messages from your clusters are retained on an independent cluster, and consuming them requires an API key specific to that cluster. For details on retention duration and how to retain audit logs beyond the default period, see Retain Audit Log Records on Confluent Cloud.
Auditable events
Confluent Cloud audit logs capture event records from auditable event methods across multiple event categories, providing visibility into your cloud infrastructure.
Audit logs track activities across three areas:
Cluster-level events capture activities within your data services, including authentication, authorization, and management operations for Kafka clusters (topics, consumer groups, cluster configurations), Schema Registry, ksqlDB, Apache Flink®, and Tableflow clusters.
Organization-level events track administrative and resource management activities, including user and access management, resource lifecycle operations, security configurations, and infrastructure management.
Access Transparency events provide visibility into when Confluent personnel access customer resources for support, maintenance, or operational purposes.
For a complete reference of all auditable event categories and their specific operations, see Audit Log Event Categories on Confluent Cloud.
confluent-audit-log-events topic
All Confluent Cloud audit log messages are captured in the audit log topic, confluent-audit-log-events. This topic is created automatically in an independent audit log cluster for your Confluent Cloud organization. For details on accessing the audit log topic, see Access and Consume Audit Logs on Confluent Cloud.
The following example shows an authentication event that was sent when service account 306343 used the API key MAIDSRFG53RXYTKR to connect to the Kafka cluster lkc-6k8r8q:
{
"id": "29ca0e51-fdcd-44bd-a393-43193432b614",
"source": "crn://confluent.cloud/kafka=lkc-6k8r8q",
"specversion": "1.0",
"type": "io.confluent.kafka.server/authentication",
"datacontenttype": "application/json",
"subject": "crn://confluent.cloud/kafka=lkc-6k8r8q",
"time": "2020-12-28T22:41:43.395Z",
"data": {
"serviceName": "crn://confluent.cloud/kafka=lkc-6k8r8q",
"methodName": "kafka.Authentication",
"resourceName": "crn://confluent.cloud/kafka=lkc-6k8r8q",
"authenticationInfo": {
"principal": "User:306343",
"metadata": {
"mechanism": "SASL_SSL/PLAIN",
"identifier": "MAIDSRFG53RXYTKR"
},
"principalResourceId": "u-yw9507",
"identity": "crn://confluent.cloud/organization=uuid-for-ourcorp/identity-provider=ourcorp-idp/identity=u-yw9507"
},
"result": {
"status": "SUCCESS",
"message": ""
}
}
}
For details, see Audit Log Event Schema.
Next steps
Now that you understand audit log concepts, you can:
Explore event categories: See Audit Log Event Categories on Confluent Cloud for a complete reference of all auditable events.
Set up audit log access: Follow Access and Consume Audit Logs on Confluent Cloud to configure audit log consumption.
Understand event structure: Review Audit Log Event Schema on Confluent Cloud for detailed event schemas.
Review specific events: Browse Auditable Event Methods for detailed examples of each event type.
Follow best practices: See Best Practices for Audit Logs on Confluent Cloud for recommended approaches.
