Understand Audit Log Records

An event includes context and data about an occurrence.

Each Confluent Cloud audit log record includes a unique identifier (id) that is unique across all events related to an event source (source).

Each audit log record comprises the following details:

  • event context
    • Metadata about the event, including the source, type of event, data content type, subject, and time.
  • event data
    • Details about the event data, including the service name, the method name, resource name, authentication, authorization, and request.

Note

Auditable event messages do not capture the content of events. Audit log records inform you that an event happened and only contain metadata about the event context and event data.

Audit log record example

The following audit log record example shows the contents of an audit log message that is returned from a cluster when a user creates a new topic:

{
    "id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
    "source": "crn://confluent.cloud/kafka=lkc-a1b2c",
    "specversion": "1.0",
    "type": "io.confluent.kafka.server/authorization",
    "datacontenttype": "application/json",
    "subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
    "time": "2021-01-01T12:34:56.789Z",
    "data": {
        "serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "methodName": "kafka.CreateTopics",
        "resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/topic=departures",
        "authenticationInfo": {
            "principal": "User:123456"
        },
        "authorizationInfo": {
            "granted": true,
            "operation": "DescribeConfigs",
            "resourceType": "Topic",
            "resourceName": "departures",
            "patternType": "LITERAL",
            "superUserAuthorization": true
        },
        "request": {
            "correlationId": "123",
            "clientId": "adminclient-42"
        }
    }
}

In the example, the event context properties give values related to metadata of the event occurrence.

  • The source of the auditable event message is defined in the Confluent Resource Name (CRN) crn://confluent.cloud/kafka=lkc-a1b2c, which shows that the event occurred in the Kafka cluster lkc-a1b2s.
  • The type of event, io.confluent.kafka.server/authorization, indicates that the auditable event message was triggered as a result of an authorization check.
  • The time shows the timestamp for the authorization event.

In the event data properties section, the data payload includes event data details for the authorization event.

  • The serviceName shows the event occurred in the Kafka cluster lkc-a1b2s.
  • The methodName shows the authorization was for creating a topic.
  • The resourceName shows the topic is departures.
  • The authenticationInfo shows that the authenticated user account was 123456.
  • The authorizationInfo section shows that authorization was granted to run the operation DescribeConfigs on the topic departures.
  • The request section includes the request correlation identifier and the client identifier.

Complete details about all event context and event data properties are included in the next two sections.

Event context properties

The first section of an audit log entry includes contextual information about the event, including a unique identifier, the source of the event, the event log schema version, type of event, data content type, subject of the event, and the time the event occurred.

Event context property Description
id A randomly-generated UUID that ensures uniqueness across all sources.
source The source location of the auditable event. For events on Kafka clusters, this will be a Confluent Resource Name (CRN) that identifies the cluster. For other events, it will be the top-level CRN (crn://confluent.cloud/).
subject The resource affected by the auditable event. For Kafka clusters, this is the CRN of the cluster itself. For other resources, it is the CRN for the resource.
specversion The version of the CloudEvents specification in use.
type

The type of event that occurred. The value in this property corresponds with the presence or absence of certain other event properties. Valid types are:

  • io.confluent.kafka.server/authentication
  • io.confluent.kafka.server/authorization
  • io.confluent.cloud/request

For more details, read the audit log event schema.

datacontenttype The CloudEvent format the audit log data is presented in (JSON).
time The timestamp, in RFC 3339 format, for when the event occurred.

Event data properties

The event payload is encoded into the media format specified in the datacontenttype context property.

All of the data properties are included in the data section of audit log record. Because these properties vary between different event types, see the relevant section below for:

Authentication event data properties

Event type: io.confluent.kafka.server/authentication

Event data property Description
data The event data payload for the auditable event.
methodName Always kafka.Authentication.
serviceName The CRN of the Kafka cluster where a principal is attempting authentication.
resourceName The CRN of the Kafka cluster where a principal is attempting authentication.
authenticationInfo Details about the principal (user or service account) being authenticated.
result The outcome of the authentication.

Authorization event data properties

Event type: io.confluent.kafka.server/authorization

Event data property Description
data The event data payload for the auditable event.
methodName The type of operation for which authorization is performed. For resources on a Kafka cluster, methodName properties start with a “kafka.” prefix. For resources elsewhere, the methodName is “mds.Authorize”
serviceName The service that generated this audit log. For authorization on a Kafka cluster, it is the CRN of that specific Kafka cluster. For authorization elsewhere, it is the top level Confluent Cloud CRN.
resourceName Canonical CRN of the resource for which authorization was being requested. For creation of new resources, authorization is checked before the entity even exists. So the included CRN is of the parent scope, and not the entity itself.
authenticationInfo Details about the principal for which the authorization was checked. For nested properties, see the audit log schema file.
authorizationInfo Details of the resource type, authorization policy applied, and whether the authorization was granted or denied.
request Additional user-supplied information in the request.

Organization event data properties

Event type: io.confluent.cloud/request

Event data property Description
data The event data payload for the auditable event.
methodName The type of request that triggered the auditable event message.
serviceName The top-level Confluent Cloud CRN (crn://confluent.cloud)
resourceName The CRN of the affected resource.
cloudResources A list of resources affected by the organization event.
authenticationInfo Details about the principal (user or service account) that made the request.
requestMetadata Additional metadata, such as the client IP address, that can be used to correlate multiple auditable event actions triggered by a single user account. A single action by a user account (for example, trying to create a Kafka cluster might result in multiple audit log records (for example, authorization checks, result or response, and more). You can use the request ID to connect these audit log records.
request Details about what the request is about.
result The result of what happened with the request (resource created, etc.)

Confluent Resource Names (CRNs)

Confluent Resource Names (CRNs) provide a uniform way to uniquely identify resources such as a Kafka cluster, topic, or consumer group, and are used in audit logs.

Each CRN is a uniform resource identifier (URI) that uniquely identifies the associated Confluent resource and is prefixed with crn://.

In the CRN:

crn://confluent.cloud/organization=fc5ba16d-661d-474c-85df-c2a1ed26032c/environment=env-pqr45/cloud-cluster=lkc-a1b2c/kafka=lkc-a1b2c

Interpret the content as follows:

  • An authorization event occurred in Kafka cluster kafka=lkc-a1b2c
  • The Kafka cluster is in the environment environment=env-pqr45
  • The environment is in the organization organization=fc5ba16d-661d-474c-85df-c2a1ed26032c

The following CRNs identify some of the most commonly-used Confluent Cloud resources.

Cluster Resource CRN

This CRN identifies the Kafka cluster.

Example:

crn://confluent.cloud/organization=fc5ba16d-661d-474c-85df-c2a1ed26032c/environment=env-pqr45/cloud-cluster=lkc-a1b2c/kafka=lkc-a1b2c
crn://confluent.cloud/kafka=lkc-a1b2c
Topic CRN

This CRN identifies Confluent Cloud topics.

Example:

crn://confluent.cloud/kafka=lkc-a1b2c/topic=my-topic
Service Account CRN

This CRN identifies Confluent Cloud service accounts.

Examples:

crn://confluent.cloud/organization=fc5ba16d-661d-474c-85df-c2a1ed26032c/service-account=sa-ymnkzp
crn://confluent.cloud/organization=fc5ba16d-661d-474c-85df-c2a1ed26032c/service-account=sa-x8y9z0
crn://confluent.cloud/organization=fc5ba16d-661d-474c-85df-c2a1ed26032c/service-account=%2A
Schema Registry CRN

This CRN identifies a Confluent Cloud Schema Registry.

Example:

crn://confluent.cloud/organization=fc5ba16d-661d-474c-85df-c2a1ed26032c/environment=env-pqr45/schema-registry=lsrc-m1n2o

For additional details about CRNs, refer to Confluent Resource Names.