Understand Audit Log Event Records on Confluent Cloud

When an auditable event occurs in Confluent Cloud, an event method is triggered and generates an event message that is sent to the audit log cluster, where an event record is stored in the Kafka topic confluent-audit-log-events.

Each event record stored in the audit log includes a unique identifier (id) that is unique across all events related to an event source (source).

Each audit log record comprises the following details:

event context
- Metadata about the event, including the source, type of event, data content type, subject, and time.
event data
- Details about the event data, including the service name, the method name, resource name, authentication, authorization, and request.

Note

Auditable event messages do not capture the content of events. Audit log records inform you that an event happened and only contain metadata about the event context and event data.

Audit log record example

The following audit log record example shows the contents of an audit log message that is returned from a cluster when a user creates a new topic:

{
    "id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
    "source": "crn://confluent.cloud/kafka=lkc-a1b2c",
    "specversion": "1.0",
    "type": "io.confluent.kafka.server/authorization",
    "datacontenttype": "application/json",
    "subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
    "time": "2021-01-01T12:34:56.789Z",
    "data": {
        "serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "methodName": "kafka.CreateTopics",
        "resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/topic=departures",
        "authenticationInfo": {
            "principal": "User:123456"
        },
        "authorizationInfo": {
            "granted": true,
            "operation": "DescribeConfigs",
            "resourceType": "Topic",
            "resourceName": "departures",
            "patternType": "LITERAL"
        },
        "request": {
            "correlationId": "123",
            "clientId": "adminclient-42"
        }
    }
}

In the example, the event context properties give values related to metadata of the event occurrence.

The source of the auditable event message is defined in the Confluent Resource Name (CRN) crn://confluent.cloud/kafka=lkc-a1b2c, which shows that the event occurred in the Kafka cluster lkc-a1b2s.
The type of event, io.confluent.kafka.server/authorization, indicates that the auditable event message was triggered as a result of an authorization check.
The time shows the timestamp for the authorization event.

In the event data properties section, the data payload includes event data details for the authorization event.

The serviceName shows the event occurred in the Kafka cluster lkc-a1b2s.
The methodName shows the authorization was for creating a topic.
The resourceName shows the topic is departures.
The authenticationInfo shows that the authenticated user account was 123456.
The authorizationInfo section shows that authorization was granted to run the operation DescribeConfigs on the topic departures.
The request section includes the request correlation identifier and the client identifier.

Complete details about all event context and event data properties are included in the next two sections.

Event context properties

The first section of an audit log entry includes contextual information about the event, including a unique identifier, the source of the event, the event log schema version, type of event, data content type, subject of the event, and the time the event occurred.

Event context property	Description
`id`	A randomly-generated UUID that ensures uniqueness across all sources.
`source`	The source location of the auditable event. For events on Kafka clusters, this will be a Confluent Resource Name (CRN) that identifies the cluster. For other events, it will be the top-level CRN (`crn://confluent.cloud/`).
`subject`	The resource affected by the auditable event. For Kafka clusters, this is the CRN of the cluster itself. For other resources, it is the CRN for the resource.
`specversion`	The version of the CloudEvents specification in use.
`type`	The type of event that occurred. The value in this property corresponds with the presence or absence of certain other event properties. Valid types are: `io.confluent.kafka.server/authentication` `io.confluent.kafka.server/authorization` `io.confluent.cloud/request` For more details, read the audit log event schema.
`datacontenttype`	The CloudEvent format the audit log data is presented in (JSON).
`time`	The timestamp, in RFC 3339 format, for when the event occurred.

Event data properties

The event payload is encoded into the media format specified in the datacontenttype context property.

All of the data properties are included in the data section of audit log record. Because these properties vary between different event types, see the relevant section below for:

Authentication event data (io.confluent.kafka/authentication)
Authorization event data (.io.confluent.kafka/authorization)
Organization event data (io.confluent.cloud/request)

Authentication event data properties

Event type: io.confluent.kafka.server/authentication

Event data property	Description
`data`	The event data payload for the auditable event.
`methodName`	Always `kafka.Authentication`.
`serviceName`	The CRN of the Kafka cluster where a principal is attempting authentication.
`resourceName`	The CRN of the Kafka cluster where a principal is attempting authentication.
`authenticationInfo`	Details about the principal being authenticated.
`result`	The outcome of the authentication.

Authorization event data properties

Event type: io.confluent.kafka.server/authorization

Event data property	Description
`data`	The event data payload for the auditable event.
`methodName`	The type of operation for which authorization is performed. For resources on a Kafka cluster, `methodName` properties start with a “kafka.” prefix. For resources elsewhere, the `methodName` is “mds.Authorize”
`serviceName`	The service that generated this audit log. For authorization on a Kafka cluster, it is the CRN of that specific Kafka cluster. For authorization elsewhere, it is the top level Confluent Cloud CRN.
`resourceName`	Canonical CRN of the resource for which authorization was being requested. For creation of new resources, authorization is checked before the entity even exists. So the included CRN is of the parent scope, and not the entity itself.
`authenticationInfo`	Details about the principal for which the authorization was checked. For nested properties, see the audit log schema file.
`authorizationInfo`	Details of the resource type, authorization policy applied, and whether the authorization was granted or denied.
`request`	Additional user-supplied information in the request.

Organization event data properties

Event type: io.confluent.cloud/request

Event data property	Description
`data`	The event data payload for the auditable event.
`methodName`	The type of request that triggered the auditable event message.
`serviceName`	The top-level Confluent Cloud CRN (`crn://confluent.cloud`)
`resourceName`	The CRN of the affected resource.
`cloudResources`	A list of resources affected by the organization event.
`authenticationInfo`	Details about the principal that made the request.
`requestMetadata`	Additional metadata, such as the client IP address, that can be used to correlate multiple auditable event actions triggered by a single user account. A single action by a user account (for example, trying to create a Kafka cluster might result in multiple audit log records (for example, authorization checks, result or response, and more). You can use the request ID to connect these audit log records.
`request`	Details about what the request is about.
`result`	The result of what happened with the request (resource created, etc.)

Authentication properties

The authenticationInfo section contains details about the principal being authenticated.

Property Name	Type	Description	Examples
principal	string	Identifies the authenticated principal that made the request.	User:12345
identity	string	Identity of the requester in Confluent Resource Name (CRN) format. Included when group mapping is enabled.	crn://confluent.cloud/organization=uuid-for-ourcorp/identity-provider=ourcorp-idp/identity=u-yw9507

Authorization properties

The authorizationInfo section contains details about the principal being authorized.

Property Name	Type	Description	Examples	Additional Properties
granted	boolean	The result of the authorization check.
operation	$ref		Refers to `#/$defs/operation`
resourceType	string	The type of the resource being checked for authorization.	Cluster, Group, Topic
resourceName	string	The resource name of the checked authorization rule.	kafka-cluster, delivery-estimator, departures
patternType	string	The pattern, LITERAL or PREFIX, used to match the resource against the authorization rule.	LITERAL or PREFIX
aclAuthorization	object	Details about an ACL rule.		Refer to aclAuthorization properties
rbacAuthorization	object			Refer to rbacAuthorization properties
assignedPrincipals	array	The list of principals the user has access to, including user itself and group mappings. Included when group mapping is enabled.	Array of strings

aclAuthorization properties

Property Name	Type	Description	Examples
permissionType	$ref		Refers to #/$defs/permissionType
host	$ref		Refers to `#/$defs/host`
actingPrincipal	string	The decisive principal used for authorization. Included when group mapping is enabled.

rbacAuthorization properties

Property Name	Type	Description	Examples	Additional Properties
role	$ref		Refers to `#/$defs/role`
scope	object	The scope the action was authorized in		Refer to scope properties - rbacAuthorization
actingPrincipal	string	The decisive principal used for authorization. Included when group mapping is enabled.

scope properties - rbacAuthorization

Property Name	Type	Description	Examples	Additional Properties
outerScope	array	The path elements in the outer scopes with the outermost first.	Array of strings