Audit Log Event Records on Confluent Cloud
When an auditable event occurs in Confluent Cloud, an event method is triggered and generates an event message that is sent to the audit log cluster, where an event record is stored in the Apache Kafka® topic confluent-audit-log-events.
Each event record stored in the audit log includes a unique identifier (id) that ensures uniqueness across all events, regardless of event source (source).
Each audit log record comprises the following details:
event context: Metadata about the event, including the source, event type, data content type, subject, and time.
event data: Details about the event data, including the service name, the method name, resource name, authentication, authorization, and request.
Note
Auditable event messages do not capture the content of events. Audit log records inform you that an event happened and only contain metadata about the event context and event data.
Audit log record example
The following audit log record example shows the contents of an audit log message that is returned from a cluster when a user creates a new topic:
{
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"specversion": "1.0",
"type": "io.confluent.kafka.server/authorization",
"datacontenttype": "application/json",
"subject": "crn://confluent.cloud/kafka=lkc-a1b2c",
"time": "2021-01-01T12:34:56.789Z",
"data": {
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"methodName": "kafka.CreateTopics",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/topic=departures",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": true,
"operation": "DescribeConfigs",
"resourceType": "Topic",
"resourceName": "departures",
"patternType": "LITERAL"
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
}
}
}
In the example, the event context properties give values related to metadata of the event occurrence.
The
sourceof the auditable event message is defined in the Confluent Resource Name (CRN)crn://confluent.cloud/kafka=lkc-a1b2c, which indicates that the event occurred in the Kafka clusterlkc-a1b2c.The
typeof event,io.confluent.kafka.server/authorization, indicates that the auditable event message was triggered as a result of an authorization check.The
timeshows the timestamp for the authorization event.
In the event data properties section, the data payload includes event data details for the authorization event.
The
serviceNameshows the event occurred in the Kafka clusterlkc-a1b2c.The
methodNameshows the authorization was for creating a topic.The
resourceNameshows the topic isdepartures.The
authenticationInfoshows that the authenticated user account was123456.The
authorizationInfosection shows that authorization was granted to run the operationDescribeConfigson the topicdepartures.The
requestsection includes the request correlation identifier and the client identifier.
Complete details about all event context and event data properties are included in the next two sections.
Event context properties
The first section of an audit log entry includes contextual information about the event, including a unique identifier, the source of the event, the event log schema version, type of event, data content type, subject of the event, and the time the event occurred.
Event context property | Description |
|---|---|
| A randomly generated UUID that ensures uniqueness across all sources. |
| The source location of the auditable event. For events on Kafka clusters, this is a Confluent Resource Name (CRN) that identifies the cluster. For other events, it is the top-level CRN ( |
| The resource affected by the auditable event. For Kafka clusters, this is the CRN of the cluster itself. For other resources, it is the CRN for the resource. |
| The version of the CloudEvents specification in use. |
| The type of event that occurred. The value in this property corresponds with the presence or absence of certain other event properties. Valid types are:
For more details, read the audit log event schema. |
| The CloudEvent format the audit log data is presented in (JSON). |
| The timestamp, in RFC 3339 format, for when the event occurred. |
Event data properties
The event payload is encoded into the media format specified in the datacontenttype context property.
All the data properties are included in the data section of the audit log record. Because these properties vary between different event types, see the relevant section that follows for:
Authentication event data properties
Event type: io.confluent.kafka.server/authentication
Event data property | Description |
|---|---|
| The event data payload for the auditable event. |
| Always |
| The CRN of the Kafka cluster where a principal is attempting authentication. |
| The CRN of the Kafka cluster where a principal is attempting authentication. |
| Details about the principal being authenticated. |
| The outcome of the authentication. |
Organization event data properties
Event type: io.confluent.cloud/request
Event data property | Description |
|---|---|
| The event data payload for the auditable event. |
| The type of request that triggered the auditable event message. |
| The top-level Confluent Cloud CRN ( |
| The CRN of the affected resource. |
| A list of resources affected by the organization event. |
| Details about the principal that made the request. |
| Additional metadata, such as the client IP address, that can be used to correlate multiple auditable event actions triggered by a single user account. A single action by a user account, such as trying to create a Kafka cluster, might result in multiple audit log records, such as authorization checks and a result or response. You can use the request ID to connect these audit log records. |
| Details about the request. |
| The result of the request, such as a resource being created. |
authenticationInfo properties
The authenticationInfo section contains details about the principal being authenticated.
Property name | Type | Description | Examples |
|---|---|---|---|
principal | string | Identifies the authenticated principal that made the request. | User:12345 |
identity | string | Identity of the requester in CRN format. Included when group mapping is enabled. | crn://confluent.cloud/organization=uuid-for-ourcorp/identity-provider=ourcorp-idp/identity=u-yw9507 |
