Audit Log Concepts on Confluent Cloud

Confluent Cloud audit logs provide comprehensive security monitoring and compliance capabilities for your cloud infrastructure. They capture a complete record of user interactions, administrative operations, and system access across all Confluent Cloud services.

The primary value of audit logs is that they provide data you can use to assess security risks in your Confluent Cloud clusters. They contain all of the information necessary to follow a user’s interaction with your Confluent Cloud clusters, and provide a way to:

• Track user and application access
• Identify abnormal behavior and anomalies
• Proactively monitor and resolve security risks
• Meet regulatory compliance requirements
• Investigate security incidents and policy violations
• Monitor resource usage and operational changes

How audit logs work

Confluent Cloud audit logs provide a way to capture, protect, and preserve Kafka authentication actions, authorization actions, and organization operations into topics in Standard, Enterprise, Dedicated, and Freight clusters. Specifically, audit logs record the runtime decisions of the permission checks that occur as users and service accounts connect to clusters and attempt to take actions that are protected by ACLs or RBAC. Audit logs also track organization operations to create, delete, and modify Confluent Cloud resources, such as API keys, Kafka clusters, user accounts, service accounts, single sign-on (SSO) connections, and connectors.

Each auditable event record includes information about who tried to do what, when they tried, and whether or not the system gave permission to proceed. Auditable event messages are emitted at the time of event occurrence; however, short delays or gaps during operational maintenance are possible, although rare.

Audit log storage and retention

Within Confluent Cloud, all audit log messages from your clusters are retained for seven days on an independent cluster. Users cannot modify, delete, nor produce messages directly to the audit log topic, and to consume the messages, users must have an API key specific to the audit log cluster.

Auditable events

Confluent Cloud audit logs capture event records from auditable event methods across multiple event categories, providing comprehensive visibility into your cloud infrastructure.

Audit logs track activities at two primary levels:

Cluster-level events capture activities within your data services, including authentication, authorization, and management operations for Kafka clusters (topics, consumer groups, cluster configurations), Schema Registry, ksqlDB, Flink, and Tableflow clusters.

Organization-level events track administrative and resource management activities, including user and access management, resource lifecycle operations, security configurations, and infrastructure management.

Access Transparency events provide visibility into when Confluent personnel access customer resources for support, maintenance, or operational purposes.

For a complete reference of all auditable event categories and their specific operations, see Audit Log Event Categories on Confluent Cloud.

confluent-audit-log-events topic

All Confluent Cloud audit log messages are captured in the audit log topic, confluent-audit-log-events. This topic is created automatically in an independent audit log cluster for your Confluent Cloud organization. For details on accessing the audit log topic, see Access and Consume Audit Logs on Confluent Cloud.

The following example shows an authentication event that was sent when service account 306343 used the API key MAIDSRFG53RXYTKR to connect to the Kafka cluster lkc-6k8r8q:

{
    "id": "29ca0e51-fdcd-44bd-a393-43193432b614",
    "source": "crn://confluent.cloud/kafka=lkc-6k8r8q",
    "specversion": "1.0",
    "type": "io.confluent.kafka.server/authentication",
    "datacontenttype": "application/json",
    "subject": "crn://confluent.cloud/kafka=lkc-6k8r8q",
    "time": "2020-12-28T22:41:43.395Z",
    "data": {
        "serviceName": "crn://confluent.cloud/kafka=lkc-6k8r8q",
        "methodName": "kafka.Authentication",
        "resourceName": "crn://confluent.cloud/kafka=lkc-6k8r8q",
        "authenticationInfo": {
            "principal": "User:306343",
            "metadata": {
                "mechanism": "SASL_SSL/PLAIN",
                "identifier": "MAIDSRFG53RXYTKR"
            },
            "principalResourceId": "u-yw9507",
            "identity": "crn://confluent.cloud/organization=uuid-for-ourcorp/identity-provider=ourcorp-idp/identity=u-yw9507"
        },
        "result": {
            "status": "SUCCESS",
            "message": ""
        }
    }
}

See also: Audit Log Event Schema.

Next steps

Now that you understand audit log concepts, you can:

• Explore event categories: See Audit Log Event Categories on Confluent Cloud for a complete reference of all auditable events.
• Set up audit log access: Follow Access and Consume Audit Logs on Confluent Cloud to configure audit log consumption.
• Understand event structure: Review Audit Log Event Schema on Confluent Cloud for detailed event schemas.
• Review specific events: Browse Auditable Event Methods for detailed examples of each event type.
• Implement best practices: See Best Practices for Audit Logs on Confluent Cloud for recommended approaches.