Understand Audit Log Records¶
An event includes context and data about an occurrence.
Each Confluent Cloud audit log record includes a unique identifier (id
) that is
unique across all events related to an event source (source
).
Each audit log record comprises the following details:
- event context
- Metadata about the event, including the source, type of event, data content type, subject, and time.
- event data
- Details about the event data, including the service name, the method name, resource name, authentication, authorization, and request.
Note
Auditable event messages do not capture the content of events. Audit log records inform you that an event happened and only contain metadata about the event context and event data.
Audit log record example¶
The following audit log record example shows the contents of an audit log message that is returned from a cluster when a user creates a new topic:
{
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"specversion": "1.0",
"type": "io.confluent.kafka.server/authorization",
"datacontenttype": "application/json",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"time": "2021-01-01T12:34:56.789Z",
"data": {
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"methodName": "kafka.CreateTopics",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/topic=departures",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": true,
"operation": "DescribeConfigs",
"resourceType": "Topic",
"resourceName": "departures",
"patternType": "LITERAL",
"superUserAuthorization": true
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
}
}
}
In the example, the event context properties give values related to metadata of the event occurrence.
- The
source
of the auditable event message is defined in the Confluent Resource Name (CRN)crn://confluent.cloud/kafka=lkc-a1b2c
, which shows that the event occurred in the Kafka clusterlkc-a1b2s
. - The
type
of event,io.confluent.kafka.server/authorization
, indicates that the auditable event message was triggered as a result of an authorization check. - The
time
shows the timestamp for the authorization event.
In the event data properties section, the data
payload includes event data details for the authorization event.
- The
serviceName
shows the event occurred in the Kafka clusterlkc-a1b2s
. - The
methodName
shows the authorization was for creating a topic. - The
resourceName
shows the topic isdepartures
. - The
authenticationInfo
shows that the authenticated user account was123456
. - The
authorizationInfo
section shows that authorization was granted to run the operationDescribeConfigs
on the topicdepartures
. - The
request
section includes the request correlation identifier and the client identifier.
Complete details about all event context and event data properties are included in the next two sections.
Event context properties¶
The first section of an audit log entry includes contextual information about the event, including a unique identifier, the source of the event, the event log schema version, type of event, data content type, subject of the event, and the time the event occurred.
Event context property | Description |
---|---|
id |
A randomly-generated UUID that ensures uniqueness across all sources. |
source |
The source location of the auditable event.
For events on Kafka clusters, this will be a Confluent Resource Name (CRN)
that identifies the cluster. For other events, it will be the top-level CRN (crn://confluent.cloud/ ). |
subject |
The resource affected by the auditable event. For Kafka clusters, this is the CRN of the cluster itself. For other resources, it is the CRN for the resource. |
specversion |
The version of the CloudEvents specification in use. |
type |
The type of event that occurred. The value in this property corresponds with the presence or absence of certain other event properties. Valid types are:
For more details, read the audit log event schema. |
datacontenttype |
The CloudEvent format the audit log data is presented in (JSON). |
time |
The timestamp, in RFC 3339 format, for when the event occurred. |
Event data properties¶
The event payload is encoded into the media format specified in the
datacontenttype
context property.
All of the data properties are included in the data
section of
audit log record. Because these properties vary between different event types,
see the relevant section below for:
- Authentication event data (
io.confluent.kafka/authentication
) - Authorization event data (
.io.confluent.kafka/authorization
) - Organization event data (
io.confluent.cloud/request
)
Authentication event data properties¶
Event type: io.confluent.kafka.server/authentication
Event data property | Description |
---|---|
data |
The event data payload for the auditable event. |
methodName |
Always kafka.Authentication . |
serviceName |
The CRN of the Kafka cluster where a principal is attempting authentication. |
resourceName |
The CRN of the Kafka cluster where a principal is attempting authentication. |
authenticationInfo |
Details about the principal (user or service account) being authenticated. |
result |
The outcome of the authentication. |
Authorization event data properties¶
Event type: io.confluent.kafka.server/authorization
Event data property | Description |
---|---|
data |
The event data payload for the auditable event. |
methodName |
The type of operation for which authorization is performed.
For resources on a Kafka cluster, methodName properties start with a “kafka.” prefix.
For resources elsewhere, the methodName is “mds.Authorize” |
serviceName |
The service that generated this audit log. For authorization on a Kafka cluster, it is the CRN of that specific Kafka cluster. For authorization elsewhere, it is the top level Confluent Cloud CRN. |
resourceName |
Canonical CRN of the resource for which authorization was being requested. For creation of new resources, authorization is checked before the entity even exists. So the included CRN is of the parent scope, and not the entity itself. |
authenticationInfo |
Details about the principal for which the authorization was checked. For nested properties, see the audit log schema file. |
authorizationInfo |
Details of the resource type, authorization policy applied, and whether the authorization was granted or denied. |
request |
Additional user-supplied information in the request. |
Organization event data properties¶
Event type: io.confluent.cloud/request
Event data property | Description |
---|---|
data |
The event data payload for the auditable event. |
methodName |
The type of request that triggered the auditable event message. |
serviceName |
The top-level Confluent Cloud CRN (crn://confluent.cloud ) |
resourceName |
The CRN of the affected resource. |
cloudResources |
A list of resources affected by the organization event. |
authenticationInfo |
Details about the principal (user or service account) that made the request. |
requestMetadata |
Additional metadata, such as the client IP address, that can be used to correlate multiple auditable event actions triggered by a single user account. A single action by a user account (for example, trying to create a Kafka cluster might result in multiple audit log records (for example, authorization checks, result or response, and more). You can use the request ID to connect these audit log records. |
request |
Details about what the request is about. |
result |
The result of what happened with the request (resource created, etc.) |
Confluent Resource Names (CRNs)¶
Confluent Resource Names (CRNs) provide a uniform way to uniquely identify resources such as a Kafka cluster, topic, or consumer group, and are used in audit logs.
Each CRN is a uniform resource identifier (URI) that uniquely identifies
the associated Confluent resource and is prefixed with crn://
.
In the CRN:
crn://confluent.cloud/organization=fc5ba16d-661d-474c-85df-c2a1ed26032c/environment=env-pqr45/cloud-cluster=lkc-a1b2c/kafka=lkc-a1b2c
Interpret the content as follows:
- An authorization event occurred in Kafka cluster
kafka=lkc-a1b2c
- The Kafka cluster is in the environment
environment=env-pqr45
- The environment is in the organization
organization=fc5ba16d-661d-474c-85df-c2a1ed26032c
The following CRNs identify some of the most commonly-used Confluent Cloud resources.
- Cluster Resource CRN
This CRN identifies the Kafka cluster.
Example:
crn://confluent.cloud/organization=fc5ba16d-661d-474c-85df-c2a1ed26032c/environment=env-pqr45/cloud-cluster=lkc-a1b2c/kafka=lkc-a1b2c crn://confluent.cloud/kafka=lkc-a1b2c
- Topic CRN
This CRN identifies Confluent Cloud topics.
Example:
crn://confluent.cloud/kafka=lkc-a1b2c/topic=my-topic
- Service Account CRN
This CRN identifies Confluent Cloud service accounts.
Examples:
crn://confluent.cloud/organization=fc5ba16d-661d-474c-85df-c2a1ed26032c/service-account=sa-ymnkzp crn://confluent.cloud/organization=fc5ba16d-661d-474c-85df-c2a1ed26032c/service-account=sa-x8y9z0 crn://confluent.cloud/organization=fc5ba16d-661d-474c-85df-c2a1ed26032c/service-account=%2A
- Schema Registry CRN
This CRN identifies a Confluent Cloud Schema Registry.
Example:
crn://confluent.cloud/organization=fc5ba16d-661d-474c-85df-c2a1ed26032c/environment=env-pqr45/schema-registry=lsrc-m1n2o
For additional details about CRNs, refer to Confluent Resource Names.